JSON Formatter Chrome Plugin Now Closed and Injecting Adware

Guy talks about switching to the "Classic" version if

> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.

Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.

Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.

Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.

I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.

At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.

Interesting that the author, Callum Locke, seems to be a real person with a real reputation to damage. Previously this would have been a trust signal to me, I figured real developers would be less likely to go rogue given the consequences.

I noticed this a week ago. Ended up building my own that has all the features I love from using several over the years.

https://github.com/wesbos/JSON-Alexander

I guess you really need to unpack each and every extensions before installation and carefully inspect the code manually to see if it only would be doing what the extensions is advertising.

Darn…

and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.

I actively try to get coworkers to audit, remove and work without browser extensions. Google and Firefox clearly do not care to spend even a modicum of effort to police their marketplaces. There's only a few I would trust and assume all others to be malware now or at some point in the future.

The same thing happened to ModHeader https://chromewebstore.google.com/detail/modheader-modify-ht... -- they started adding ads to every google search results page I loaded, linking to their own ad network. Took me weeks to figure out what was going on. I uninstalled it immediately and sent a report to Google, but the extension is still up and is still getting 1 star reviews.

The JSONView extension on Firefox was targeted a while ago. (2017?)

I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).

WebExtension permissions are fucking broken if the set of permissions necessary to reformat and style JSON snippets is sufficient to inject network-capable Javascript code into any page.

If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.

Is it me or is this happening more and more frequently?