When good extensions go bad: buyer turns Particle into adware

Web browser extensions, plugins, and add-ons are popular, and with good reason: they can add functionality, enhance productivity and improve security for users.

Particle for Chrome, originally called YouTube Plus, allowed users to customize the YouTube UI – but then in May, the developer reported problems they were having with maintaining Particle’s development and posted their news on GitHub.

For those of you that haven’t been following the events around YouTube Plus lately, the extension was placed on EOL (end of life) support due to the new YouTube layout being drastically different than the classic layout – demanding a complete rework of the extension – and my limited time to spare for working on the extension. On top of that the extension was also banned from the Chrome webstore with no reason given, a situation which led me to move the extension to Opera and drop Chrome once the new extension version is finalized.

Fortunately I was able to finally find a way to work around the complexity that is the new YouTube layout and I am currently working from scratch on a new and modular version of the extension just for the new layout, but this will still be a slow process.

Unfortunately, with all of this happening in such a short period of time a mess was generated. Because the Opera add-on store did not accept the YouTube name in the extension I had to change it to Particle, but I was planning on using that name for the new version of the extension and now I have this name collision on the Opera side if I try to keep the same name for a different version. Another issue that has raised is the repository itself, it is called Particle as well, but it is being used for the YouTube Plus name.”

Then on July 11, Particle’s developer announced that the Chrome extension has changed ownership.

The extension has been sold, but only the Chrome extension. Everything else remains intact and on life support.

I was approached with a business proposal to either run ads on the extension or sell it. My first reply was that no matter what conclusion the business could lead to, the users would have to be informed prior to the change and unrelated feature changes would have to be opt-in by default.

On the same day, users of the Particle extension were asked for two new permissions, “read and change data on websites visited,” and “manage apps, extensions, and themes”. Security-minded users were understandably concerned.

To the developer’s credit, they did do some research on the organization that had offered to buy the Particle Chrome extension before they sold it. They said:

I did research the entity that contacted me and found no warning signs, which is why I decided to trust it at the end.

I was assured that their services are Google compliant and, to a certain extent, they are, from what I have seen in their code, but the current changes are way, way ad aggressive. The extension also warns users of the new changes, but not how I wanted. Asking for new permissions is not the same thing as explaining why those are being requested and what changes the extension would contain. Also turning off the support tab was not a good sign.

It appears that Particle’s buyer asked the developer about a user data collection function. The developer said there wasn’t one. That should have been a warning sign. Why should an extension that simply enables users to change a web service’s UI collect user data?

So Particle for Chrome is now adware.

Let this be a warning to web browser extension users. Choose your extensions carefully, and check them every so often to make sure they haven’t acquired functions that could be malicious, such as acquiring unnecessary data or serving unwanted ads. Assuring that you have no malicious extensions is easier if you only use a few of them, and a lot more difficult if you use a dozen or more. Plus, having a large number of extensions can noticeably slow down your web browser’s performance by using too much memory.

Let this also be a warning to well-intentioned extension developers: if you’re going to sell your code to another party, be extra careful to make sure that they respect your users and don’t intend to turn your work into malware.