This Chrome Extension Lets You Hijack Your Friend’s Browser
The simplest description of Shove also explains why a reasonable person wouldn’t use it. It’s a Chrome extension that lets you “forcibly” open a tab—and load the webpage of your choice—in a friend’s browser. And your friend? They can hijack one of your browser tabs at any time, too.
There are no security measures built into Shove, other than those already built into Chrome. So yes, you’d see a warning page if someone tried to load a nefarious page in your browser, and you’d have to opt in if a site wanted to fire up your camera and mic. But other than that, Shove leaves the options wide open.
Here in the WIRED offices, that was enough to make most of my colleagues think twice about testing Shove out. After all, the risks are obvious: Someone could load up a malware-ridden site, some gnarly off-color content, or perhaps worst of all, a Rick Astley video on your computer without your express consent. Your boss could be standing right behind you as they did it.
As such, in our brief trial period with the extension, every time a browser tab popped open with Shove’s bright yellow “incoming” message, I felt a kick of adrenaline and fear. This was an Internet trust fall.
In some ways, the service is self-policing; the best security measure available to you is picking the right people as your Shove friends. Karma reigns; you don’t Shove someone something you wouldn’t want to receive, lest you get the same garbage back, or get dropped from the recipient’s friend list.
And while Shove was developed just for kicks, the team behind it sees potential use-cases beyond extended trolling sessions. Sending someone or a full team a webpage for reference or discussion requires one fewer click; it just automatically loads on the recipient’s machine.
“At first, we thought this would be a pretty funny and dangerous game,” says Mike Lacher, who wrote most of the back-end code for the project. “But once we built it and played around with it, it became less of a prank and more an easy way to share things back and forth… It was about having a creative conversation, where the domain name is the message. Or if you want to tell your friend ‘no way’ about something, sending them a link to a Google Image search is a lot more interesting.”
That much is true. Instead of typing text or dropping links to sites in a chat room or messenger, Shove puts a new spin on communication. For example, instead of saying “hi,” you can Shove someone an open page like SUP Magazine, or Yo, or this GIF. And because your friend doesn’t have to click on anything, it’s almost like you’re popping up to say hi in real life. There’s a sense of immediacy and presence that doesn’t exist with other chat apps.
That’s because Shove doesn’t just open a webpage in another person’s browser, it also makes it the active tab. Receive a Shove, and that’s what you’re looking at, like it or not. Lacher says that was a conscious decision: Having a Shoved page load in a pop-under or deactivated tab could have been “more pesky,” he says. By making it the active tab, the receiver doesn’t have to dig through tabs to disable audio or block a page from loading.
“At first we wanted to limit it to something where you could only send other people things a couple of times a day,” Lacher says. “But then, as we started using it, the fun thing isn’t finding the most shocking thing or whatever and sending it to a friend. It was creative conversation… We don’t inspect the URLs going back and forth at all. And we don’t want to be watching what people are doing with it. So there’s no real controls on that level.”
While Shove is completely open-ended in terms of what you can send and receive, you have to add people to your friend list and accept their request to add you. Unlike Twitter or Facebook or chat services, the risks are pretty severe if you don’t curate your friend list wisely. If you feel uncomfortable adding anyone to your friend list, there’s also an automated (and clean) “shovebot” account that you can play webpage tennis with.
In addition to Lacher’s back-end coding, Chris Baker and Brian Moore handled most of the design and front-end code. This isn’t the first time the three Brooklyn-based creatives have teamed up on a weird-but-fun web project. They also worked together on the incredible Lightyear.fm, which visualizes how far radio waves from Earth have traveled through space, and the completely crazy Like Creeper, which randomly faves one of your friends’ old Instagram photos. Baker and Lacher worked together on the SMS-based Drunk Shopping bot.
While opening a webpage on someone else’s computer seems like it would need some kind of security trickeration, it doesn’t. For this project, Lacher says he simply used some options available in the Chrome API. Shove is only available as a Chrome extension now, but Lacher says the same kind of thing could work on other browsers, too.
“It’s not a loophole, it’s a pretty standard Chrome extension capability,” Lacher explains. “The Chrome API has stuff built in where you can open tabs programmatically and open a URL programmatically. Basically, it was just us fusing that with a chat program. We’re not doing anything very exotic. We haven’t seen anything that works quite like this, but it’s definitely not using anything groundbreaking in terms of technology.”
Right now, Lacher says Shove has about a thousand users. As its user base grows, so will the potential for jerks to use it for bad reasons. But ultimately, a user’s experience with the app is up to them; they need to choose their friends wisely.
“It’s a little bit more personal. It’s not just another chat program where you have like five million friends and there’s that weird guy from high school,” Lacher says. “This is giving someone control of your browser. It’s more for people who have at least mildly good judgment.”