What is smartwebfinders?

[DavidGretzschel]

In Google Chrome, I just got a popup, that looked roughly like this:
https://security.stackexchange.com/questions/262979/what-will-happen-if-i-accept-this-change-your-search-setting-to-smartwebfinder

Told me either to disable SurfingKeys or to "change my search settings to smartwebfinders".
I accepted, since I wanted to keep using SurfingKeys.
I looked into my Chrome settings, but my default engine was still listed as Google.
I have no clue, what this "searchsetting" even is. It does look a bit scammy, though.
What's up with that?
Also of note: I did not get this popup in Microsoft Edge.

EDIT: I just got the popup in Edge eventually, probably when the extension automatically updated a bit later. See below for screenshot.

[dankilman]

I'll add that the new version is 1.0.7 whereas the version in this repo is still 1.0.6 so I think someone took over the extension

[thergbway]

I decided to stop using Surfingkeys before author explanation

[DavidGretzschel]

Looks like it will be a ticking time bomb.

Here is my solution:

• Remove version 1.0.7, go to Crx4Chrome to find and download the extension file in version 1.0.6
• Unzip it , place the folder where you like and change the "update_url" in manifest.json to an non-existent URL, such as "https://clients2.google.com/service/update2/crx/error"
• Go to chrome://extensions/ and load the unpacked extension on the top left of the page

Done!🥳

Janky, but doable. Thanks for walking me thru it <3

[DavidGretzschel]

Now Edge is giving me the same warning. Here's what this looks like:

[brookhong]

Don't panic.

smartwebfinder basically is sponsored promotion of bing, but it should not force you to change your search engine. Please let me know if it does.

[DavidGretzschel]

So what does it do, exactly?
What is this "searchsettings"-thingadybob?
Those are the results I get, when I search for "smartwebfinder":
https://www.google.com/search?q=smartwebfinder&rlz=1C1GCEA_enDE981DE981&sxsrf=ALiCzsaW_wVKk4ryO6XAPYAxUJ0azKNzPg%3A1660846784594&ei=wIL-YqTbI8fP7_UP-42s6A8&ved=0ahUKEwiku_y0gNH5AhXH57sIHfsGC_0Q4dUDCA8&uact=5&oq=smartwebfinder&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQA0oECEEYAEoECEYYAFAAWABgYGgAcAB4AIABAIgBAJIBAJgBAKABAcABAQ&sclient=gws-wiz-serp

I'd not call that a "ticking time bomb", but not something I'd want to think about either, if I cared moderately about security/privacy/my data etc.
Which personally I do not. (I have used Lenovo laptops before, lol)
But the general audience for this lovely extension probably does quite a bit.

[webavant]

smartwebfinder basically is sponsored promotion of bing, but it should not force you to change your search engine. Please let me know if it does.

Brook, smartwebfinders.com is not associated with Bing or Microsoft. I just checked a whois for the IPv4 address currently hosting it, which is a private 1and1 server. Either way, affecting the browser search is not listed as an intended feature of surfingkeys, and is thus deceptive and probably in violation of multiple corporate policies.

[DavidGretzschel]

smartwebfinder basically is sponsored promotion of bing, but it should not force you to change your search engine. Please let me know if it does.

Brook, smartwebfinders.com is not associated with Bing or Microsoft. I just checked a whois for the IPv4 address currently hosting it, which is a private 1and1 server. Either way, affecting the browser search is not listed as an intended feature of surfingkeys, and is thus deceptive and probably in violation of multiple corporate policies.

Hmm... interesting.
EDIT: Nvm

[isaiahtaylor]

I can't find any code that would cause this change. Can anyone find a commit?

If not, it means the extension getting uploaded to the store is not trustworthy.

[webavant]

the extension getting uploaded to the store is not trustworthy.

This is clearly the case. Higher up in the thread, the author, @brookhong, acknowledged that the extension is implementing something with smartwebfinders.com, which falls outside the listed intended feature set of the extension.

[isaiahtaylor]

git clone [email protected]:brookhong/Surfingkeys.git
cd Surfingkeys
grep -r "smartwebfinder" .
# no output
grep -r "smartweb" .
# no output
grep -r "webfinder" .
# no output

[webavant]

Hmm... interesting. Hey @brookhong, would you kindly tell me what is 3^(24x54) mod 17?

Perhaps whoever now controls this account isn't a programmer. Funny, yet sad.

Also who was our boss at IBM, when we worked on that stupid Java-server thing together? Forgot his name.

Even sadder, yet. I hope both of you are well and that good things come, even if it must be at the sad expense of my very favorite browser extension. :(

[paradox460]

If you want to run the extension from source, you can just clone/fork this repo, then run

npm i && npm run build:prod`

Then you just open chrome://extensions, check the Developer Mode toggle on, and click Load Unpacked.

Navigate to <your repo>/dist/chrome/ and use that folder as the unpacked extension.

[neta540]

This is all too sketchy.

[shivanthzen]

Interestingly, the build for master failed all too suddenly yesterday with a couple of README changes

[wooseopkim]

I'm ditching this malware for Vimium.

[windowswithoutborders]

Firefox is still on 1.0.6, fortunately, but out of principle I feel like removing it. Absolutely gutted at this turn of events, and, short of the developer's account being highjacked, I hope the change is reverted. Hopefully they can respond to @DavidGretzschel, David the real MVP with that surprise identity verification test.

[cool-beef]

Fantastic, thanks for turning my favorite extension into malware

[fno2010]

Just downloaded crx from web store, and made a diff to the crx compiled from the latest source:

➜ diff chrome/manifest.json webstore/manifest.json
1a2,3
> "update_url": "https://clients2.google.com/service/update2/crx",
>
85,86c87,98
<   "content_security_policy": "script-src 'self' chrome-extension://aajlcoiaogpknhgninhopncaldipjdnp; object-src 'self'",
<   "version": "1.0.6",
---
>   "content_security_policy": "script-src 'self'; object-src 'self'",
>   "version": "1.0.7",
>   "chrome_settings_overrides": {
>     "search_provider": {
>       "name": "Smart",
>       "keyword": "Smart",
>       "search_url": "https://smartwebfinders.com/?n=1&q={searchTerms}",
>       "favicon_url": "https://smartwebfinders.com/favicon.ico",
>       "encoding": "UTF-8",
>       "is_default": false
>     }
>   },

Can someone tell me why this chrome_settings_overrides option was added?

[webavant]

Interestingly, the build for master failed all too suddenly yesterday with a couple of README changes

Curious indeed. In the interest of forensics, I wonder what the intent was there. It seemed like an inconsequential, yet very timely merge, yet why not just ignore github altogether in releasing the build to the app store? And why bother commenting on github at all, when it's clear to all what happened here.

[brookhong]

Sorry for late reply.

The customized search provider smartwebfinders is added into Surfingkeys to make me profit from it as the main author. There is nothing need to hide here.

Does Surfingkeys really change your search settings?

Yes, it does. It just adds a customized search provider into the browser with support from the browser itself, please see chrome_settings_overrides in this commit.

And it looks like this, you can check it from chrome://settings/searchEngines

Will it change your default search engine?

No, is_default is set false for the search provider.

Is there any chance to remove it?

I will remove it if someone has evidences that the search provider does bad things. Or I find a better way to monetize it. Or it does not work at all on monetization.

How can you help me?

Use sw or ow occasionally.

[ocdtrekkie]

@brookhong FYI, this is a violation of Chrome's Developer Program Policies: https://developer.chrome.com/docs/webstore/program_policies/#single-purpose which even gives an example of a violation like "PDF converters which also aim to change a users default search engine."

Which is to say, you should probably remove it very quickly and hope Google doesn't ban your extension, your Google account, and your Gmail.

[brookhong]

Thanks, as I had explained, the setting does NOT change users' default search engine, please show me if it does.

[ocdtrekkie]

@brookhong The example also talks about a PDF app. The problem is that it adds a search provider to the browser, even though that has nothing to do with the core functionality of the app. That's a violation of #single-purpose, even if it doesn't change the default. Even though the eventual destination may be Bing's index, routing "search with bing" to a site that is not Bing is also violating #impersonation

[DavidGretzschel]

Thanks, as I had explained, the setting does NOT change users' default search engine, please show me if it does.

Never really was about that. It was about having no idea, what the new permission did and a quick google search making it appear incredibly suspicious and not much else. Your explanation of it allowing you to profit from ow and sw makes sense to me (not, that you couldn't tell me pretty much anything... but a good-sounding explanation is far better than none).

Sorry for getting overly paranoid about it. This is my favorite browser extension by far, so I hope you don't get into too much trouble now, by all the people who probably already reported your extension for violating rules/technicalities/being generally very sus all of a sudden. Adding this feature in, seems far more trouble than it's worth from my perspective.
Since I cannot imagine people wanting to use Bing. And if they cared enough to do this to help you, they'd probably care enough to donate an equivalent sum on average to make this worth your time, if you asked.
[unless I'm vastly overestimating how much money Bing could possibly pay out/how okay people would be with using it, which admittedly I have only prejudice to go on]

[b0o]

@brookhong I totally understand your position of wanting to profit off of your hard work. You’ve doubtless put in many hundreds or thousands of hours of work into this extension, and your time is valuable. That being said, I think it’s questionable to push changes like this without user consent or awareness. Would you consider other approaches to monetization, like making the donation buttons more prominent or setting up a patreon/opencollective?

This is a fate that I have seen befall many browser extensions. Extensions are very difficult to monetize in a way that benefits the user, but they are very easy to monetize in nefarious or questionable ways. I’m aware that you likely receive countless emails from black hat actors who offer to purchase the extension or pay you to inject their code. Every developer of a popular extension receives solicitations like this, and I’m sure over time many developers give in and sell out. I am not accusing you of selling out, if the changes are as simple as adding an optional search provider, but it’s a step in the wrong direction in my view, and it erodes community trust.

I would personally be willing to step up and sponsor your development on a recurring basis via Patreon or the like, and I’m sure a number of others would be willing as well. But my willingness would require this extension stay clean of these sorts of changes, whether malicious or benign. The extension should remain true to its purpose, in my opinion.

I really love this extension. I use it every day as my primary way of surfing the web, and I really appreciate all of your hard work. If you’d like to chat about ideas, my inbox is always open (base64: bWFkZHlAbmEuYWkK).

[isaiahtaylor]

This is really tough. Like some commenters have said, I really really appreciate your hard work on this extension. I use it every single day. You have built something that is very valuable to me and many others!

But that's a double-edged sword. The value is matched by a high bar of trust. After all, this extension has access to my bank website, proprietary source code when I access GitHub, my passwords when I use my password manager in the cloud... etc etc.

When I first started using this extension, I was acutely aware of the risks, so I took time to vet the source code in this repo and I keep up to date with the commits that come through. I liked that there was a lot of activity on it, which meant that other people were likely to be reviewing the source as well.

Unfortunately, that trust has been totally broken here. The biggest issue is that the plugin changed based on private code on your computer, bypassing the open source review that naturally occurs when you merge code on GitHub. I see that since this issue has been raised, you have uploaded the commits. I appreciate that. But I also now have no faith in the process of deployment, and that other code won't be injected without open source review in the future. I have to wonder whether or not we would ever know about this if it hadn't been for Chrome's permission popup.

The sad part is that I would have happily paid $5 / mo or possibly even more just to use this; like I said I use it every day. I probably even could've been alright with the weird alternate search engine, if my researched showed that it wasn't harmful.

But as it stands now, I have no choice but to fork.

[dalsvk]

I recently switched from Vimium, and i just fell in love with it until this whole debacle.

Absolutely agree with @isaiahtaylor , that it's all about the trust which has been tampered with. I have nothing but respect for your work, but pushing something like this without user consent is just not okay.

[brookhong]

@b0o

Thank you for understanding and your long term support on this extension. I will consider your advice carefully then reply you an email later on how we can make this project surive and thrive.

For this smartwebfinders, please allow me keep it for one week, see how it works then make my decision, so far the donation rate is very/very low.

@isaiahtaylor

Thanks for raising your concern.

Usually release of this extension to Chrome Web Store does not match code commit into this repo exactly on the perspective of time. Release to Chrome Web Store usually happens earlier, as something might need to be changed during review/release process on CWS. The code change will then be committed into this repo in days after a release successfully published, depends on my time as a human being, everything does not happens automatically or in a full code deploy pipeline. The change of this commit -- adding chrome_settings_overrides into manifest.json also needs approval from CWS first, if it does not get approved, I will also not commit the code change. That's how it works.

The biggest issue is that the plugin changed based on private code on your computer, bypassing the open source review that naturally occurs when you merge code on GitHub.

I have explained the release process above, release to CWS happens earlier than code commit to github usually. There is no private code here, please build it and compare the output with the one downloaded from CWS.

[isaiahtaylor]

@brookhong thanks for the insight into the deployment pattern. I wonder if other popular extensions are doing the same thing; I hope not. It's better to keep it all public and have to revert if CWS rejects the build.

You seem like a reasonable guy, just trying to make a profit from your hard work. But the level of access / use that this extension has is simply too high for any amount of funny business. Adding a sketchy affiliate program that is unrelated to the value of the extension, without telling any of your users, and deploying to onto our machines without it being in source code, crosses the line.

[DavidGretzschel]

For this smartwebfinders, please allow me keep it for one week, see how it works then make my decision, so far the donation rate is very/very low.

I was not even aware that you took donations. Finally found it at the bottom of the "Readme.md".
https://github.com/brookhong/Surfingkeys#donate
So may I suggest that you put the Donate-header at the very top, as well? Also maybe add another link here:
https://brookhong.github.io/#
Putting it only at the very bottom of the Readme, made it hard to discover.
Also maybe add Bitcoin, ETH-payment options, if possible. Crypto millionaires do exist.
And make the PayPal-option as prominent as Wechat and Alipay (which no Westerner is likely to even parse as being money-related) a bit more prominent.
I'd guess your low donation rates might at least partly be explained by the sometimes counterintuitive power of "trivial inconveniences":
https://www.lesswrong.com/tag/trivial-inconvenience

I myself will donate once I get rich (no matter what happens to the extension, since I already got a lot of value from it). Just right now, I am rather broke I'm afraid.

[shivanthzen]

Reading through this conversation, couple of observations:

1. This is also probably a bug in chrome. It should have only asked about adding a search provider (not about a default search provider) since default property is false. The message about changing the default is what rang alarm bells for me.
2. Since there has been a lot of concern raised here about security, it might be a good choice to think about the release flow a bit. There were concerns raised about mismatching code in the repository and CWS, uploading private code etc. If getting approval from CWS is the bottleneck I can suggest keeping a separate branch (dev ?) for release candidates. This way there is higher visibility for anyone who wants to correlate what is there in CWS and repo. Since this plugin is granted quite a lot of permissions, security should be a central principal to gain trust from the community. (There was a 24 hour window where people were convinced this GitHub account was taken-over due the lack of transparency).

Thanks once again for writing this awesome plugin.

[paradox460]

You might also consider trying Github Sponsors. Its a donation/payment system built into github

[neta540]

I have explained the release process above, release to CWS happens earlier than code commit to github usually. There is no private code here, please build it and compare the output with the one downloaded from CWS.

• Having code changes such as sending our search queries through "Bing" to a third party, while still showing the search engine as Bing is not cool, especially without letting us know of the changes first.
• Adding a search engine to our browser settings while the extension doesn't really have a good reason to do so is also a very probable violation of the CWS.
• I get your enthusiasm to monetize the project and there are many ways to do so, but after the recent events I find it really difficult to trust and support this project.
• The project uses webpack and minification, which makes it harder to compare to the original source code.

The only way I see this working out (maybe) is to be transparent: to set a GitHub actions pipeline which will publish the outputs as release assets which we can compare to the ones appearing in CWS. The pipeline has to be clear and trustable again.

[brookhong]

Thanks @shivanthzen for the reasonable comments.

Your suggestion on a separate branch for release candidates sounds like a good idea, previously I kept everything as simple as possible. For large breaking changes, dev branch will be used definitely. For small change, I prefer to change the release flow -- commit code change to github first as @kfot suggested, one drawback of which is that some unwanted version bumping will be involved, but which should not be big deal comparing with the security concerns.

This smartwebfinders will be removed soon since so many of you are having concern about it and it also does not work in a proper way for me -- why use this suspicious domain name instead of bing's domain directly.

[yehya]

https://github.com/yehya/SuperUser

[yehya]

Reverted the change yehya@e09e269

I'll be releasing a separate version since the license seems to allow it: https://github.com/brookhong/Surfingkeys/blob/master/LICENSE

[devnoname120]

@yehya Looks like your fork is already outdated. Also your comment has an unnecessary aggressive tone — remember that everyone is having good intents.

[userrand]

This is really tough. Like some commenters have said, I really really appreciate your hard work on this extension. I use it every single day. You have built something that is very valuable to me and many others!

But that's a double-edged sword. The value is matched by a high bar of trust. After all, this extension has access to my bank website, proprietary source code when I access GitHub, my passwords when I use my password manager in the cloud... etc etc.

When I first started using this extension, I was acutely aware of the risks, so I took time to vet the source code in this repo and I keep up to date with the commits that come through. I liked that there was a lot of activity on it, which meant that other people were likely to be reviewing the source as well.

Unfortunately, that trust has been totally broken here. The biggest issue is that the plugin changed based on private code on your computer, bypassing the open source review that naturally occurs when you merge code on GitHub. I see that since this issue has been raised, you have uploaded the commits. I appreciate that. But I also now have no faith in the process of deployment, and that other code won't be injected without open source review in the future. I have to wonder whether or not we would ever know about this if it hadn't been for Chrome's permission popup.

The sad part is that I would have happily paid $5 / mo or possibly even more just to use this; like I said I use it every day. I probably even could've been alright with the weird alternate search engine, if my researched showed that it wasn't harmful.

But as it stands now, I have no choice but to fork.

@isaiahtaylor
Hi sorry, I have never built a web extension from source. Are these instructions from the other comment sufficient: #1796 (comment)

[Fred-Vatin]

Thanks @shivanthzen for the reasonable comments.

Your suggestion on a separate branch for release candidates sounds like a good idea, previously I kept everything as simple as possible. For large breaking changes, dev branch will be used definitely. For small change, I prefer to change the release flow -- commit code change to github first as @kfot suggested, one drawback of which is that some unwanted version bumping will be involved, but which should not be big deal comparing with the security concerns.

This smartwebfinders will be removed soon since so many of you are having concern about it and it also does not work in a proper way for me -- why use this suspicious domain name instead of bing's domain directly.

Thanks for having made the release candidate public. It means a lot for users and the prosperity of this add-on I’m starting to use, replacing Vimium C.