Several days ago, a thread on Reddit claimed Hoverzoom was malware. Apparently this was also seen several months ago. Apparently it sent info back to some ad agency (if that was indeed an ad agency). It was claimed that only ‘unusual domain names’ were ‘tested’, and that the data collected was ‘anonymous’. Sure. Then it was claimed that a script to disable that would be added.
Testing of the extension revealed:
- Hoverzoom injects code unto some or all of the web pages you visit while the extension is running.
- Hoverzoom modifies "certain Amazon links" on all websites you visit, adding its own affiliate ID.
- The extension sends the browsing habits that it collects to a third party website (webovernet.com and jsl.blankbase.com)
- It sends domain misspellings to another third party website (advisormedia.cz).
- All monetization schemes are active by default.
- On December 17, version 4.27 was released which submits what you type into web forms to a third party website (qp.rhlp.co)
- On December 18, version 4.28 was released that removed the script again that was added on December 17.
Unethical at best, creepy at worst. Supposedly the script was also injected to any site you visited. This dev think he’s the NSA?
Anyway, I have divested Chrome of this extension. Chrome Web Store (or the extension’s author) has removed Hoverzoom as well. I’m now using Imagus.
Ghacks recommends keeping an eye on the extensions you use…they could well be spying on you. I wish I could recommend one that works well with WC.
Perhaps Kryo might know one which works with Firefox and chrome and WC as well.
Noscript and extensions like it prevent browsers from making automatic connections. Unfortunately, NoScript does not interact well with WC.
My thanks to Martin Brinkmann at Ghacks.net for reviewing this topic.