Messing around on Reddit tonight, I found a post that disturbed me greatly – not in the usual sense people mean for Reddit.
According to khoker, the Smooth Gestures extension for Chrome is spyware.
function pl_track(){
if (window.location.protocol == "https:") return;
if (window === window.top)
{
if (!document.getElementById('hummingtrack'))
{
trackerimg=document.createElement('img');
trackerimg.id="hummingtrack";
trackerimg.src="http://www.smoothgesturesapp.com/tracking/tracking_ss.gif?events="+window.location.href.split(/\/+/g)[1]+"&r="+Math.random();
trackerimg.height="1";
trackerimg.width="1";
document.body.appendChild(trackerimg);
}
}
}
setTimeout(pl_track(),1500);
If somebody has a reasonable explanation for this other than ‘spyware’, I’d love to hear it.
The Google Code issue has quite a few comments discussing it further, and you may wish to report it to Google as I did.
For myself, I’ve disabled it for now until this gets resolved. I use my browser for internal corporate stuff as well, and I don’t think anybody needs to know about those sites (though I don’t particularly care about them seeing me waste time on G+ and Reddit 
). This is very sneaky and potentially illegal. At the least, it’s almost certainly a violation of their terms of service with Google.
Thanks for looking in to this, I just noticed this effect too and have uninstalled the extensions. Why can’t we have good things?
I reported the issue originally, and I am sad to see this useful extension go. It has now been removed both from Google Code and from the Chrome webstore. I am hypothesizing 100% now, but I am guessing that the original author, Scott Fujan, sold off the plugin to some dodgy types who wanted to make a quick bug by spying on all its users, based on the last message from the author in the bug thread before it was deleted by Google:
“All,
I am the original author of Smooth Gestures. However, I do not have control over this extension anymore. I do not believe that this issue was the result of bad intentions, as some of you have accused; however, I too was concerned that this issue continued to impact users’ browsing experience.
In a short while I will be releasing Smooth Gestures Plus. Smooth Gestures Plus will be a version of Smooth Gestures that will continue to be maintained by me. I can absolutely promise that your privacy will be respected in Smooth Gestures Plus. I am very sorry that this has become an issue and hope that I can regain your trust with Smooth Gestures Plus.
–Scott”
And later,
“To be clear: I did not personally release 0.15.4.3; I did release 0.15.4.2″
(0.15.4.3 was the first version with the spyware plugin, and was released on 25 August).
I think it is worth adding the after-story. A couple of weeks ago, the authors released a new version apparently with the spyware removed. And yesterday, in response to another issue on the Google Code tracker, they released the full source code to the extension under the Apache licence:
“Source code is available here at google code and on github. The NPAPI plugin source is in a separate folder from the plugin code that is predominately javascript. The code is also now licensed under Apache 2.
Status: Fixed”
So I guess they were serious when they said sorry and that they wanted to regain our trust. The open sourcing proves the good intentions, and I’ve added the extension back on.
Thanks for the update, Thomas, and I’m glad to hear that things have improved.
any good anti-spyware (ie like Spybot) for Chrome?
thanks
/JA
I didn’t think Spybot was browser-specific, so I’m not sure.