TIL a Chrome Extension was spying on me. BEWARE “Smooth Gestures”.

The app ID is: [lfkgmnnajiljnolcgolmmgnecgldgeld](https://chrome.google.com/webstore/detail/lfkgmnnajiljnolcgolmmgnecgldgeld?hc=search&hcp=main)

And this isn't some unknown, shady app. Google reports it to have over 400,000 users and a 5-star rating with over 5000 votes.

Anyway ... troubleshooting a JavaScript error today, I noticed the following code was being inserted into every page I visited. The only reason I noticed it at all was because it was broken, and a # was erroneously added before the setTimeout call the last time it updated.

function pl_track(){
if (window.location.protocol == "https:") return;
if (window === window.top)
if (!document.getElementById('hummingtrack'))

14 thoughts on “TIL a Chrome Extension was spying on me. BEWARE “Smooth Gestures”.”

  1. I don’t see the problem? Is that not the image it uses to track mouse gestures and thus actually allow the extension to function?

    With that many users I’m sure the source has been checked and re-checked by a lot of javascript savvy people.

  2. All it really does is send the domain you are on (not sure about referral information). For all you know this could be it’s normal operation and it simply handles processing of gestures through a separate script.

    Try blocking domain smoothgestureapp.com in your hosts file, see what happens. If the extension breaks, you can assume it’s part of the gesture detection. If every part of it works, you can assume it’s spying on you.

    If it’s part of the gesture detection, you can assume it uses the domain to determine what action to take if there is domain specific gestures (not sure if this extension has that feature), so if I draw a “C” maybe it goes to r/chrome, or a “P” goes to r/pics, etc, but only works on the reddit.com domain which would explain why he would need to send that information.

    If he was truly spying I would think he would just use referral information as that’s typically more than enough information.

  3. Disabled for now until this gets resolved. I use my browser for internal stuff as well, and I don’t think anybody needs to know about those sites (though I don’t particularly care about them seeing me waste time on G+ and Reddit 😛 ).

    Still: this is very sneaky and potentially illegal. At the least, it’s almost certainly a violation of their ToS with Google.

  4. Yup. I noticed this on my mom’s slower internet that every page I visited showed a hit to smoothgesturesapp.com and I wondered why. Then it hit me that it was likely tracking all my visits. I removed the extension.

    Edit – I put the extension back and set smoothgesturesapp.com to resolve to localhost in /etc/hosts and lmhosts and it still works. Obviously as the resolution is to localhost and nothings listening on port 80, its not gonna get to smoothgesturesapp.com so hopefully its all good now.

  5. And this is why I now disabled the automatic extensions updating by going to about:plugins and disabling the “Google Update” plugin.

  6. I am pretty certain many extensions track the users or otherwise sned home information they shouldn’t. That’s why I was hoping Chrome will allow users more fine grained control on what information extensions have access and the sites they can contact. To many extensions ask for permissions to “all your information on all websites ” unnecessarily.

  7. I just edited my hosts file to point smoothgesturesapp.com to

    Though I’d like to find an OSX version of Active Ports to monitor outbound connections in realtime. lsof -i is a little clunky.

  8. Looks like the author has removed the add-on from the web store.

    The alternative Mouse Stroke for some reason does not work on OS X. Can’t seem to find any other alternative mouse gesture extension 🙁

  9. All,

    I am the original author of Smooth Gestures. However, I do not have control over this extension anymore. I did not personally release; I did release I do not believe that this issue was the result of bad intentions, as some of you have accused; however, I too was concerned that this issue continued to impact users’ browsing experience.

    In a short while I will be releasing Smooth Gestures Plus. Smooth Gestures Plus will be a version of Smooth Gestures that will continue to be maintained by me. I can absolutely promise that your privacy will be respected in Smooth Gestures Plus. I am very sorry that this has become an issue and hope that I can regain your trust with Smooth Gestures Plus.


  10. As an FYI, it might be worth noting that the current version of Smooth Gestures ( that has had the “offending” code referenced in this post removed actually still phones home with tracking data, albeit the data itself seems benign.

    It HTTP POST’s to:


    with the following JSON payload:


    (clientid has been altered in this sample)


Leave a Comment