[Updated] Chrome extension has changed ownership

[ParticleCore]

As of today the Chrome extension ownership has been changed and I am unable to make any further changes or updates to it. For now the temporary solution for anyone that wants it is to use the userscript version with a userscript manager extension, such as Tampermonkey. Remember to first backup your settings before changing.

I will try to post an update when I have more information.

---

Update

After trying to find out what happened since the other user came to me with #527 I can only assume that the intentions were not made by mistake and as a result I will now do what was suppose to have been done before all of this started.

The extension has been sold, but only the Chrome extension. Everything else remains intact and on life support. I was approached with a business proposal to either run ads on the extension or sell it. My first reply was that no matter what conclusion the business could lead to, the users would have to be informed prior to the change and unrelated feature changes would have to be opt-in by default, and I quote:

Hi, \<redacted>

I am sorry but my extension makes no collection of user data. The only available stats are the ones available from the webstore, which does not include any geo distribution or similar telemetry other than extension installation/uninstallation and total current users data.

On top of this, the extension is currently at its end of life status due to the upcoming new YouTube layout, meaning that when that layout goes live officially the extension will no longer work, and I am currently developing a fresh and new replacement to work just with the new layout.

Knowing all of this I don't know what interest you might still have in this extension, but whatever the case could be, anything would have to be disclosed to the users previous to any changes and anything unrelated to the extension features (such as data collection or advertisements, for example) will have to be opt-in by default or acceptable during install/implementation.

Cheers

Due to certain conditions I agreed on I cannot share more of the conversation out of fear of violating these conditions.

I did research the entity that contacted me and found no warning signs, which is why I decided to trust it at the end.

I was assured that their services are Google compliant and, to a certain extent, they are, from what I have seen in their code, but the current changes are way, way ad aggressive. The extension also warns users of the new changes, but not how I wanted. Asking for new permissions is not the same thing as explaining why those are being requested and what changes the extension would contain. Also turning off the support tab was not a good sign.

I was also caught somewhat off guard because I wanted to make this announcement at least one day prior to the changes, but that's also something that didn't went according to what I expected. The changes that were suppose to be made never went through; the extension description is still unchanged and are still linking to this repository, the extension options are also still linking here and the donation button is still linking to my account. It was all suppose to be changed accordingly at a certain time.

As of now there is nothing I can do, the Chrome extension version is no longer mine. I know very well how the users feel betrayed without an hint before all of this, but I was under a condition that would not allow me to go into detail about the transaction, that is until after what went through today.

I have sold the extension because of two big reasons, both some of you that have been following this extension close know of:

1 - The current extension will die. With the new YouTube layout coming up, the extension will simply not work, it already does not if users try the new YouTube layout. I am already working on an entirely new version just for the new layout, but this one is just at a basic bug fix support stage.

2 - The income is very important during the period that my life is currently on. I do appreciate all the donations that have been made and keep being made since the birth of this project, but with just around $8 average per month (if I recall correctly) there's just not enough, not even to pay the ISP. However, I only went through with the proposal because I asked for quite a high price that I was willing to sell, assuming that it would be rejected. As it happens it was not.

With that said, I most sincerely apologize. This was suppose to be way more transparent, I think the few that know me know that I never had any trouble speaking my mind when I wanted or being honest when needed, but as it happens this whole situation went off rails without me realizing it in time. Once it started there was nothing I could have done to stop it other than trying to find out what was going on and why.

The Chrome users can still use the original version, the userscript is untouched and will continue receiving bug support. To install the userscript version you will need a userscript manager, like Tampermonkey, and then click on one of the available hosts located here: https://github.com/ParticleCore/Particle/wiki/Download#userscript and your userscript manager will do the rest for you.

[knisshoku]

Hi,

Did you sell the ownership to a new developer?

[ExorcistF1]

you fucking idiot

[mreweilk]

How many times will this happen to good extensions? Shake my head.

[ariefpizzuti]

I wish you could make the announcement sooner ,thank god I remove the extension .from what I've seen from the other extensions from the new dev ,many people complaint about their browser got inject with adware and such .

[mreweilk]

And by looking at the updated extension, it has indeed been hijacked.

Here's the new manifest.json

Everyone should report the extension to google for abuse.

[pep0w]

What was the reason of this "change" of ownership... If it's anything like Stylish and Userstyles.org, it's goodbye forever (or at least I'll stick with an older version until a better alternative comes along).

[theorist-complex]

How is it possible that you were unaware of this "change of ownership"??

I assume by "change of ownership" you mean that you sold it to someone?

If thats true, then why was there no notice beforehand?

If none of the above is correct, then I apologize for sounding accusatory, but something doesn't seem right here.

[LB--]

@theorist-complex their account could have been compromised and it was transferred before they regained control of their account. No need to assume malicious intent.

[SingularityRS]

Well, this sucks. There's not really a better alternative out there for YouTube.

[CyberMew]

Just curious, how much were you paid to sellout your users?

Also, how can we migrate the settings from the chrome extension over to the userscript version? Or are we SOL again?

[theorist-complex]

@LB-- Which is exactly why I said: "If none of the above is correct, then I apologize for sounding accusatory, but something doesn't seem right here."

But frankly, the specific verbiage used - a "change of ownership" is much different than saying that "the account was compromised", or "taken over", or "I lost control of" or"hacked" or, etc, etc...

Now, if that is simply a language barrier issue, then the apology is already there - my mistake, my bad - but if it's not, then I don't think my questions are too much to ask.

[pepablock]

@q1k Care to elaborate on Stylish? I'm using the latest version, should I be worried?

[ExpHP]

For those looking at the source, any estimation of the impact of this on users who accepted the permissions for the hijacked version? What on earth is it doing exactly with the permission to "manage extensions"?

[mreweilk]

It seems to have been infected with a modified version of this, https://crx.dam.io/source/crxviewer.html?crx=https://crx.dam.io/files/gobbnicjoijcfndfmmfjnfgldgcnjibl/4.1.9.0.zip

[ExpHP]

For ease of purview, this source file appears to be the meat of the above. I'm a dufus with a trigger finger on the Download Zip button. mreweilk's link is unminimized (in the preview pane)!

To sort of answer my own question, then; this seems to be the only use of the management permission. Not 100% sure yet but I think it's just scrubbing your extensions for keywords to send to advertisers.

[alphapapa]

Not 100% sure yet but I think it's just scrubbing your extensions for keywords to send to advertisers.

Oh, is that all...

@ParticleCore It's imperative that you provide a complete explanation ASAP. As it stands, your wording seems vague and evasive, which suggests that you knowingly transferred ownership to a hostile entity, against your users' interests. If this is not the case, you should make this clear immediately.

[ParticleCore]

I am going to post an update of this situation later today, I sincerely apologize for what happened. For any user that might still want to keep using the extension you can use the userscript version with the help of the Tampermonkey extension or a similar userscript manager, the result is literally the same. For the users that haven't had the chance to backup their settings you can always install the extension temporarily, export your settings and then remove it once your settings have been exported with success to import them into the userscript version.

These recent changes only affect the Chrome extension version.

[pep0w]

@pepablock Read here, this change was only on Chrome, not Firefox. But one could say the change is coming there too. You can use an alternative for Chrome called Stylus, and just not update it on Firefox (it still works fine on FF 54). The kicker is that this data collection is turned on by default and who knows what else is under the hood. But the biggest concern is that you can't really disable automatic updates on Chrome extensions...

Here's what natalieg wrote on the forum after people complained about "anonymous" data collection being enabled by default.

every time a browser navigates to a new page, the extension queries the servers for saved and available styles. The data collected includes the current, previous and referrer pages and for each new install a random user ID is created.

That data collection is not so anonymous either, they save the first 3 bytes of the ip (ie. of let's say 12.34.56.78, they will save 12.34.56.--- which is not very anonymous, besides, they could be lying about this, they could just save the whole thing, and even sell the data to third party).

So I have disabled updating stylish on chrome, and I'm not updating it on firefox either (if/when that comes).

I'll stop here, this topic is about youtube+ (or particle for youtube if you will), so let's not turn it into something else.

[RayKoopa]

@ParticleCore Thanks for at least keeping the userscript "alive". Though that really should've been communicated better. Then again I don't know what kind of narrow-minded idiot the new "owner" is, but according to the privileges, just another ad-junk crap company not wanting you to communicate the userscript alternative too openly.

[pepablock]

@q1k Thank you for the info, much appreciated!

[ParticleCore]

I am replying to let users know that the main topic has been updated.

[Caraxi]

You are an idiot. that is all

[Eisys]

Hmmm Quite a d1ck move but I can understand. Everyone needs money.

So if I understand correctly, you only sold the current as-is chrome extension? Meaning, you still own Iridium and can post that on the Chrome store as a brand new extension, once it's finished? I adore Youtube+ and would hate to see it die completely. No alternative out there that's as good.

I use the userscript version so I'm fine, but I had to let a friend know to delete it asap and run an MBAM scan.

Also, there are a few other extensions owned by the same 'roberthawkinsg'. Those were updated recently and they too, have recent 1 star reviews stating adware/malware/excessive permissions.

[ParticleCore]

@Eisys That is correct, this only affects the Chrome extension Particle for Youtube, nothing else. Iridium is clear and will reach the Webstore as a brand new extension, which was always the plan because I never meant to "replace" YouTube+. That also means the userscripts and AMO versions will be brand new once Iridium goes live.

Regarding the owner, I was made aware of that only after I read the recent extension reviews, which was not disclosed until the extension was transferred.

[alphapapa]

@ParticleCore Okay, so you have tacitly admitted that you did sell the extension to a hostile party without regard for the safety or privacy of your trusting users.

This is inexcusable. You have now demonstrated that you are untrustworthy, and none of the other forms in which you are making this project available (userscript, Iridium, etc) can be trusted either.

The only answer for users who desire safety and privacy is for this project to be forked. This repo must be blacklisted, and this author must be forever distrusted. (Of course, since you conveniently hide your identity behind "ParticleCore", this will not be as easy as it could be.)

For anyone who's interested, I have forked the repo and opened an issue to discuss the project's future, if there can be one. Interested users and/or developers are welcome. https://github.com/alphapapa/Particle/issues/1

[ExpHP]

The extension has been sold, but only the Chrome extension. Everything else remains intact and on life support. ...

Er, uhh...

...wow. I was about ready to invoke Hanlon's razor or something towards the generally hostile attitude in this thread, as I just couldn't understand where it was coming from. And I suppose the razor still applies in some way, but... uh...

This is awful. You're a nincompoop, this 'roberthawkinsg' guy is capitalizing on trust like a goddamn Trojan Horse, and the Chrome store lets it all happen! To be honest, when I first saw the permissions request, I was puzzled, but could have accepted it anyways because I knew this project had a github and I knew there was a detailed version history where I would be able to find out exactly what crazy, new and unusual circumstances required the permissions.

But lesson be learned: trust can't come so cheap.

[HyphenSam]

If selling the extension helps fund you to create another extension for the new YouTube style update, then I'm all for it. You said you were planning on being transparent of the change, but things went the other direction. Shit happens, I understand.

Though I don't really approve of having to migrate all users of the Chrome extension, regardless of if the transparent announcement went smoothly. I wasn't too inconvenienced, but I can see this as being a hassle for people who aren't familiar with installing userscripts. And since you can no longer properly inform the Chrome extension users, you've lost quite a bit of your userbase.

[LB--]

I'm all for monetary support for the time and effort you put into maintaining these projects, but transferring ownership is an absolute no-go. Don't let it happen again. I'd rather have donation reminders than someone else in control.

[aelfwyne]

@alphapapa I'm with you. It seems that @ParticleCore knew exactly what was going to happen when he sold the extension, just not the speed at which it would happen. I wouldn't trust any future product from him either.

I'm extremely careful downloading things and do NOT get malware/spyware on my system. The fact that a trustworthy program was hijacked in this way with the COOPERATION and KNOWLEDGE of its developer is very disturbing. I questioned the permissions when they updated, but only a little bit. I assume that the expanded permissions were needed for 3rd party video services and thought that was something being added to the program. Assumptions, hah, they make something out of me I guess.

Then today Chrome disabled the extension (but did NOT auto uninstall it) which happens time to time. I went to re-enable it and only after clicking "enable" did I notice the message about violating TOS, and began to investigate.

I don't know or care what Iridium is - except that now I'll make sure to remember so I don't accidentally install it later.

[membran]

ugh

[ParticleCore]

@aelfwyne Thank you for that information. It also appears that all the extensions related to the user have been taken down from the webstore, an article about this has already been written and can be found here for anyone interested: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/

As for the accusations that I have sold the extension to a hostile party without regard for the users, please don't make false accusations when I have already explained clearly and exactly what happened and as much as I can disclose for now.

I did a background check for the company that contacted me and there were no warning signs, nothing came up that was linked to anything negative, this I already said in the original post update. I also said that I was not made aware of who was the destination user until the transaction took effect, which I said here: https://github.com/ParticleCore/Particle/issues/528#issuecomment-314918162

After this there was nothing I could have done and until this point I never had any reason to suspect any wrong doing. So, if anything, accuse me of selling the extension to someone that I didn't know and found no reasons to suspect of ill intentions.

For anyone that shares the concerns of the users that voiced them here, feel free to fork the project, just keep in mind to respect the license.

If anything I wish someone else was doing this project and the other new one too, because that way I would not have to sacrifice my time to dedicate it here to try and fix all the problems that pop up, to add more features when possible, to help users that don't know how something works, in some cases resulting in all-nighters, to work on a new version that - from what I've seen - is the only one that is compatible with the new layout. All of it while trying to make my own life with almost no resources and no free time.

Hate all you want, those of you that do, it is your right, but by no means I will accept for anyone to lie about me, especially not after I have already explained as much as can. It's not a good argument to accuse someone of distrust while using a lie for that accusation, that's just being an hypocrite.

Having said that, I believe that all the information I could provide has been clearly disclosed in more than one way and I will leave this open for the duration of the weekend, unless anything worth mentioning comes up.

[Caraxi]

I hope you got a good deal for selling out 30,000 users. I assume the amount is under NDA though since literally everything else seems to be.

Next time maybe think about why a company would want to hide behind an NDA even after the sale is complete? hmm

[aelfwyne]

Not only why would they want to hide, but more importantly:

Why were they even interested in buying a dead-end product that as you yourself said wasn't even going to support the new Youtube layout very soon? Obviously it was worth money to them, and as it wasn't profitable to you, and it wouldn't be able to be monetized due to upcoming changes to Youtube...

I think it was pretty obvious why they wanted to pay you for it.

[Caraxi]

and of course your research about them came up clean. They make every silly dev they trick sign an NDA to not tarnish their name they built up so that they can trick more silly devs

[error161]

Did you have a written/signed/etc contract with them for the transfer, and did they breach the terms? If so, I'm curious if you'd still be required to withhold the company's name. Gladly it has been removed from the webstore, but the buyer's reputation needs to be tarnished and found out.

It's understandable if you cannot, as you don't want to put yourself in a worse situation than you are already in.

Though, IMHO it does seem fairly clear that a company wanting to buy a dead-ending extension likely does not have good intentions. Still yet, the outrage-happy internet is probably still going to come after you for this and it's unnecessary.

Good luck with Iridium and the new extension.

[ParticleCore]

Just a warning: I am leaving this open for discussion related to the topic. Any further insults will lead to this issue being locked. This is not a place for this kind of behavior.

[ParticleCore]

@bscottx I am sorry, but I think you can assume the answer for that by my inability to comment further on it. I appreciate the understanding, it has not been easy being in this position not knowing what I can or cannot say.

[LB--]

If anything I wish someone else was doing this project and the other new one too, because that way I would not have to sacrifice my time to dedicate it here to try and fix all the problems that pop up, to add more features when possible, to help users that don't know how something works, in some cases resulting in all-nighters

I really appreciate that you feel a strong obligation to maintain these projects, but if you feel it is no longer worth your time and it is having this kind of effect on your health, please step away and take a break. Your work is appreciated but you shouldn't burn yourself out on this, and you absolutely shouldn't pull all-nighters for less than minimum wage. If you step down, the forks will step up, so there's no need to feel like you are the only one who can do this - that's the good thing about open source.

I wish you the best.

[ohohohoo]

I switched from the Chrome extension into userscript version long ago — when you announced that Google removed the Chrome version and you didn't get an explanation for it, so I may not be feeling what others are experiencing.

Unlike those that hate you for selling your extension to another person/company, I have totally no problem at all. You're free to sell your product to an adware maker or whatever else coming your way because it's your product afterall and you said that you really need the money (so I assume that the situation is quite bad and you truly need the money for something important).

2 - The income is very important during the period that my life is currently on. I do appreciate all the donations that have been made and keep being made since the birth of this project, but with just around $8 average per month (if I recall correctly) there's just not enough, not even to pay the ISP. However, I only went through with the proposal because I asked for quite a high price that I was willing to sell, assuming that it would be rejected. As it happens it was not.

But there's one thing that I disagree with your decision, and that is to not inform your users beforehand. You could've made an update to your extension and show a page explaining that in a few days this extension will be sold to another party that could potentially cause harm to the users. That's all you need to give so the users can make proper decision.

I know you said that you've researched the buyer before, but let's be blunt here, whenever a company/someone buy a browser extension it could only mean two thing. Either they want to make money from your product or they want to kill your product because they don't want another competitor. This is not a perfect world where the buyer would suddenly take charge of your product and making it into something better.

I hope that you learnt from this and won't make similar decision in the future.

[chrcoluk]

I had this installed then it vanished, I then installed the userscript version, but I discovered it didnt vanish at all but instead it changed name and chrome had auto disabled it.

I am pretty angry, its sad that what turns out to be a good project always tends to get ruined by a need for money.

[ghost]

Well, you did what you had to I suppose. Dev life is hard. Best of luck for the future, but please don't do something like this again.

[BooBerry]

@ParticleCore Honestly, thanks to your blind incompetence I won't be recommending Particle/Iridium or anything else you develop ever again. Since you've "sold-out" once already, what's stopping you from doing it again in the future because you're in need of money? As such in my eyes you've lost ALL trust with this blunder. There was several obvious red flags including; the party accepting the high price, the desire to obtain a "dead" extension with a healthy fanbase and the use of a non-disclosure agreement.

But hey, I guess money blinds all judgement. I really hope it was worth it... I'm sure the users infected with the adware would disagree.

[ParticleCore]

@BooBerry You misunderstand me, I never cared about popularity, ratings or anything of the sort. This is my hobby that I do with pleasure and decided to share it publicly. If it happens to generate income then even better. As such was the case I had a good opportunity and went with it. Did not go as well as I wanted. Hindsight is 20/20, but during the exchange what is obvious for everyone after it already happened did not cross my mind while it was taking place.

Make no mistake, if I am offered another deal I will take it again, but this time I will post the emails publicly for the duration of the exchange (with sensitive information redacted, such as names and emails) so that this won't catch users by surprise again. Until then I will try to see if I can make donations work better without making them annoying, which is something I also hate.

Also don't try to pin adware on me as if I was the one who deliberately did it with full knowledge of the actions, that's just a blatant lie. The owner of the extension during those changes was not me, so blame the right person for the right reasons, call me sell-out all you want but never blame me for what happened after I was no longer responsible for the extension.

I lost the users trust? When did I ever asked for it? I had users threatening my life because I wouldn't help them make a custom userscript, I had users threatening to down-rate the extensions if I wouldn't implement features they demanded, some even went ahead and just did it (https://github.com/ParticleCore/Particle/issues/522#issuecomment-312958578).

This is just my hobby, nothing more. If you do not like it then there are other options available (although the most popular are heavy on data mining, so that's a trade-off) or, if you want, you can do what I did, build your own to your own liking, just the way you want it to be.

I know it sucks, I hated that this happened this way, but I am not here for you, I am here because I enjoy doing this project, not serving others. If it happens to satisfy what others seek then great, if not then nothing is lost. If it happens to generate income then great, if not then that's life.

[ParticleCore]

As per the previous information I decided to leave this open for another day, but I will be closing it tonight because I believe there is nothing more to add to this subject. The topic will not be locked, just the issue will be closed.

[theorist-complex]

@ParticleCore Can't say that I'm exactly happy the way this was handled, but I understand mistakes happen. Money is a real thing and it IS a driving force in our lives. Having the money available to work on the things you want to work on is a blessing. So again, while I think this could have definitely been handled better on your end, I wish you luck and hope that you continue to grow, learn, prosper, and have the ability to prioritize the work in your life that gives you a sense of pride and contentment.

[Shigeto1]

A bit late to the party but I'd just like to say I'm grateful that somebody is maintaining this script even if the extension has been hijacked. All that matters in the end is that I don't have to use YouTube's horrible flat material layout design now or (hopefully) going forward.

I've really no interest in questioning the dev's handling/mishandling of the situation or speculating about their intent, all I really care about is that this project doesn't get squashed by Google/YouTube. Particle/YouTube+/Iridium is essential to my YouTube viewing experience thanks to their clueless design team and I would rather have donation popups etc than see this project die off.

[brad-x]

Hate to try to bump a closed issue but though it's EOL it was useful. A re-upload to the chrome webstore under a new-new name would be great.

[alphapapa]

@ParticleCore

Also don't try to pin adware on me as if I was the one who deliberately did it with full knowledge of the actions, that's just a blatant lie. The owner of the extension during those changes was not me, so blame the right person for the right reasons, call me sell-out all you want but never blame me for what happened after I was no longer responsible for the extension.

At best, you're guilty of very poor judgement here. You're not an Internet newbie. You know about adware and malware and that the people who make it are underhanded and deceptive. You were tempted by some amount of money. Maybe that blinded you to the risks, but that's still your doing.

I lost the users trust? When did I ever asked for it? I had users threatening my life because I wouldn't help them make a custom userscript, I had users threatening to down-rate the extensions if I wouldn't implement features they demanded, some even went ahead and just did it (#522 (comment)).

Those idiots threatening you are irrelevant to this. You made an implicit agreement with your users when you went to the trouble to make a fancy name and logo and package and upload your extension to the Chrome store. You have their trust whether you asked for it or not, and you have a responsibility to protect them from being exploited through your software (which is auto-updated in their browsers). You abdicated this responsibility when you sold-out. If you were naive instead of malicious, so be it, but you still messed up, big time.

I maintain several software packages here on GitHub with quite a few users. It's not nearly on the scale of a browser extension, but I take the trust of my users very seriously, because I also trust and depend on other developers of software I use. I view maintaining software as stewardship, and since I benefit from the stewardship and generosity of others, I have a duty to do the same.

This is just my hobby, nothing more. If you do not like it then there are other options available (although the most popular are heavy on data mining, so that's a trade-off) or, if you want, you can do what I did, build your own to your own liking, just the way you want it to be.

Well, I guess it's not just your hobby anymore, since you have profited a tidy sum from it, at the expense of the safety of your trusting users. (Again, that may not have been your intent, but the end result is the same.)

Make no mistake, if I am offered another deal I will take it again

I appreciate your honesty. It sounds like you haven't learned your lesson after all. Now I know with certainty to avoid your software. Hopefully you will figure it out before something worse happens and more people get hurt. Next time, who knows, people might lose data, get infected with ransomware, have their credit cards stolen, etc.

Really, if you're unwilling to take these risks seriously, I encourage you to stop developing or stop packaging your software. Let someone else do it, someone who takes these issues seriously.

[ParticleCore]

@brad-x That is something I simply cannot do, it would be illegal. The only option is to use the userscript version, if you want.

[alphapapa]

BTW, if this whole ordeal hasn't made it clear enough, you should be really careful what you sign. If it would violate your contract for you to upload this software under a different name, that makes me wonder whether you signed away all rights to your software, period. The license on this repo was already unclear; can it even be forked? Can this repo even remain online? What a mess. And what a shame, it was really nice software.