Can you trust your browser extensions? Exploring an ad-injecting chrome extension
I wanted to download a YouTube video recently so I installed a "U-Tube Downloader" extension. It is highly rated, seemed legit, so I added it. It puts a nice Download button next to any YouTube video. Like greasemonkey script it was there when I needed and it, and out of sight otherwise.
I installed it and forgot about it. So, put a pin in that and read on...
Today I was on my own site and this happened. A video slid onto my page from the right side and started playing. I was gobsmacked. I know this site, I know its code. I know my advertisers. WTH. Where is this coming from?
It's the surfing video there in the lower right corner.
First I knee-jerk emailed my advertiser asking if they were injecting this, then I pulled back and started to Inspect Element.
Looks like there's a supporting iframe, along with an injected div. That div includes JS from "vidible.tv" and the ads are picked from "panoramatech." But that's not all.
There's references to literally a half-dozen other ad-networks and then this, something called RevJet.
Search around and here's the first description of what RevJet is.
Whoa, ok, it's an extension. But which one? Grep for "Rev" in this folder C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Default\Extensions and I my U-Tube one.
Nicest Ad Ever
I particularly like the comment "nicest ad ever."
This extension also injects ads from "Yllix" when I'm on YouTube, and RevJet when elsewhere. Apparently if I set revjetoptout in my local storage, I can get around this. Very NOT intuitive. I saw no options for this extension exposing this.
Worse yet, every once in a while, Kim Kardashian shows up in my New Tab page. Again, there's no way for non-technical relative to figure this out. And it's pretty hard for technical me to figure it out. This is deceptive at best.
Yes, I realize someone put work into this extension, and yes, I realize it was free. However, it wasn't clear that it was going to randomly inject ads into any website without asking. It wasn't clear that the ads were injected by this extension. There was/is no clear way for anyone without the ability to debug this to make it stop. Charge me a $1, but don't reach into webpages I visit and mess with my content without telling me.
I recommend you check out chrome://extensions/ and give each enabled one a good hard look. Consider disabling or uninstalling extensions you may have forgotten about or ones you don't explicitly trust. If you're a dev, consider reading the code within the extensions and make sure you're getting what you expect.