Warning: Chrome extension 'User-Agent Switcher for Google Chrome' is suspicious

2 points by flashman ↗ HN
Earlier today I noticed every page I visited had this local storage key set: 'IPirat_installed = true'. I figured out this only happens when the extension 'User-Agent Switcher for Google Chrome'[0] is installed and enabled. (Not to be confused with 'User-Agent Switcher for Chrome'[1].)

Digging in the extension's source, I can see this key is set in common.js. I am a bit concerned this advertises that I have the extension installed, and that websites may be able to tell the extension to do something nefarious, like exfiltrate my browsing history. (But I don't have the skills to prove this one way or the other.)

Also, the extension is making various calls to an API, e.g. apparently fetching a list of redirects to implement.[2]

I don't know what else it's doing (I suspect rewriting shopping links to insert the creator's affiliate tags) but needless to say I've uninstalled it for now.

[0]https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

[1]https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg

[2]http://api.useragentswitcher.org/api/redirect2list?data-wid=1

3 comments

[ 2.8 ms ] story [ 17.8 ms ] thread
Does chrome really not include a UA switcher out of the box?
It does, if you use Developer Tools you tell Chrome to fake all kinds of browser features. But Chrome's mantra seems to be to make the browsing experience as simple as possible and I agree that its not a vendor's responsibility to support sites misusing user-agents.
> Chrome's mantra seems to be to make the browsing experience as simple as possible

That is not at all how I would describe Chrome's mantra.

Even if you accept that is true - doesn't it seem a little bit ironic that the feature in question is hard enough to use the built-in solution, that multiple people have thought it necessary to not just make an extension to perform the task, but they thought enough people would do this that it's worthwhile making a shitty reffersl link scamming/privacy abusing solution.