How companies take advantage of Mozilla’s Addon repository

Mozilla's Addon repository is one of the backbones of the Firefox web browser, Thunderbird email client and various other programs based on the same core. Users can download and install add-ons with just a few clicks to benefit from new or modified features they make available in the installed program.

Add-ons are reviewed by Mozilla before they are added to the repository on the site, and while many may think that these reviews are thorough enough to keep illegitimate add-ons out, it may not always be the case.

What would you say if I told you that companies buy add-ons from developers to make a profit? You'd probably ask how they'd make a profit from these add-ons and I'd reply to you that they monitor what you do on the Internet.

While this may sound like fiction let me reassure you that it is not. Take the Autocopy extension as an example. It is a popular extension with more than 57k active users at the time of writing and 481 user reviews and an overall star rating of four stars out of five.

When you look at the most recent comments you will notice that they are all rating the add-on with one star, the lowest rating available.

What do the reviewers complain about? According to them, the extension is sending information to a server on every page visit.

Besides providing auto copying, this add-on sends info to stats.wips.com about EVERY page you visit and how long you stay there. Highly NOT recommended!

We need to go back to the beginning for a short moment before we dive into this again. The AutoCopy extension was purchased by Wips recently from its former author who confirmed that to me in an email. So, the extension ownership changed hands and what seems to have happened thereafter is that the company added the "phone home" feature to the add-on.

The company responded to several user reviews confirming the ownership change as well and that the extension was sending statistics to company servers.

Hi,there is no need to worry, we provide this add-on for free without any spyware, spam or advertising.
You can turn the stats off in the options.

I contacted the company to find out more about this. Lukas Marek, the company CEO told me that the extension was not sending any browsing data- but did so in the past - and that the connections that are still made by the extension are for analytical purposes only.

What I can confirm is that the extension is still contacting servers on every page load of the browser.

firefox addon wips

If you look into the about:config dialog you will find several stat related parameters including a client ID (likely unique identifier) and options to disable the sending of permissions.

autocopy

When you look at the privacy policy on the Wips website you will notice a chapter about information it collects from the extension service.

In addition, for every Web page you view while using the Extension Service, the Wips.com software transmits and stores your IP address, which may include a domain name, the full URL of the Web page you are visiting, general information about your browser; general information about your computer's operating system; your Wips.com cookie number or other identifying alphanumerical information enabling Wips.com to identify your computer; and the date and time the above information is logged.

Autocopy is not the only extension the company seems to have bought. It is now listed as the owner of eleven add-ons including  BlockSite, an add-on used by more than 210,000 users and Fasterfox Lite, used by more than 115,000 users.

When you try to install Fasterfox Lite you are taken to an intermediary page where you need to accept the end user license agreement before you continue. A note at the beginning states that the company collects and stores information about web pages that users visit and that this may in some cases include personally identifiable information.

WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE, BUT PRIVACY IS IMPORTANT AT WIPS.COM, AND WE DO NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY WIPS.COM USER.

I tried to get a better understanding about ownership changes. A Mozilla representative confirmed that "no interaction with Mozilla representatives is necessary for a transfer of ownership" and that a change is not highlighted anywhere on the Mozilla website.

All add-on updates or new versions are reviewed by Mozilla on the other hand which is certainly reassuring. It is still not clear why new versions of the extension were approved by Mozilla since they phone home and at least one, Autocopy, does not mention that anywhere on the add-ons page.

So, what can you do to protect yourself from this practice? Not much it seems. While you could dive into the code of the extension it is not really something that the majority of users can and want to do. The only other option to find out about a built-in phone home feature is to install the extension and monitor the browser's connections afterwards.

Update: Statement from Mozilla

It appears you tested Version 1.0.8 of AutoCopy. This version is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic.

After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and what the majority of users have installed.

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to How companies take advantage of Mozilla’s Addon repository

  1. Maou January 13, 2013 at 1:44 pm #

    They own Simple Adblock, and another 10 extensions.Including some google Chrome addons.
    Fortunately I`dont use any of these extensions.

    Thanks for the heads up Martin.

  2. Mike January 13, 2013 at 2:26 pm #

    This is a beautifully informative article that highlights the constant dilemma of whether certain internet practices are ethically acceptable or not. I have sympathy for Mozilla, who I am sure do their utmost to ensure that addons are non-intrusive. Ultimately, companies like wips.com will be policed by users, who will decide whether security lists need to be updated to prevent such "analytical" methods.
    Thank you for the excellent research, Martin ... much appreciated.

  3. TheRube January 13, 2013 at 2:41 pm #

    Indeed!
    Mike. I agree with your comment - - 100%!

    Thank You,

    TR

  4. Yoav January 13, 2013 at 2:52 pm #

    Not cool.

  5. Yoav January 13, 2013 at 2:53 pm #

    Not cool. Thanks for the heads up, Martin.

  6. Wizened January 13, 2013 at 3:20 pm #

    I agree with Mike's & TheRube's comments.

    Excellent article Martin. This kind of journalism and original content creation is what sets you apart from all the other tech re-bloggers out there.

    Keep up the good work.

  7. nocturne January 13, 2013 at 3:21 pm #

    Martin, what data do the add-ons send in the picture? Have you checked it with Wireshark?

    • Martin Brinkmann January 13, 2013 at 4:06 pm #

      I only checked it briefly and the data was not transferred in clear text.

  8. Bill Newton January 13, 2013 at 3:21 pm #

    Great article Martin!
    But we must keep in mind that the "Consumer is King"! I just went to Wips.com and checked to see what extensions they own. I then went to my extensions in FF and Chrome and made certain that I didn't have any of their extensions and add-on's installed on my computer. I did not. The point of this message is that we the consumer can control these companies. If the word gets out to enough people and people stop using ANY add-on's owned by Wips.com, it won't be long before Wips.com folds up. Granted they will probably change the name of their company and start right back up, (or already have ownership through different names). But fortunately there are people like You and Ghacks technology to help keep us informed!

    Thanks Martin!

  9. Nebulus January 13, 2013 at 3:52 pm #

    Thanks for the information, Martin! The article is very informative and raises an interesting problem about trust. It seems that trusting an application, a firm or a developer once is not enough anymore; a constant check is needed now, and I'm afraid that not everyone will be aware (or able) to do that...

  10. Bill Newton January 13, 2013 at 3:59 pm #

    I was looking around some of my devices to see how much affect Wips.com might have on my life and what I found on my Apple Itouch was very enlightening. I found that Apple offers and highly recommends several Wips.com apps.
    I guess Apple knows a money maker when they see one!

  11. Paul B. January 13, 2013 at 4:04 pm #

    An important article, Martin. Well done.

    > the full URL of the Web page you are visiting

    The critical thing here is the metadata. It's nothing for these people to gain a bit of info here, and a bit more there, to put together the puzzle very rapidly. Say someone visits a certain facebook page often and stays there long. Facebook's policy is to require actual names.The math is pretty easy.

    This is one reason I appreciate Opera, which exercises tight control of the extensions it offers. As far as I know, Opera has a long record of respecting privacy.

    One thing one can do if they absolutely need these extensions is block the home site via the hosts file or some other means. But of course, 98% of users are not going to do that, and few will ever even know a problem exists. Mozilla really should have been doing a lot more to protect their users. Is there profit in it for them for commercial extensions?

  12. Nebulus January 13, 2013 at 4:17 pm #

    I just checked AutoCopy and I found out that they are sending the data over SSL. So there is no immediate way to see what kind of data are they sending.

  13. amdou January 13, 2013 at 4:40 pm #

    wow.... removed autocopy. thanks Martin

  14. sweetu January 13, 2013 at 5:57 pm #

    Thanks Martin !
    Kindly inform what about the Ad-block Plus, Ghostery & Donot Track me Add-ons ? Will they Do also send data to back ???

  15. Akos January 13, 2013 at 6:51 pm #

    Shouldn't Mozilla warn the users in Add-On page about this or even remove it from their repository?
    Martin, could you push forward to get an official response from Mozilla if they have any intention to resolve such issues?

    • Martin Brinkmann January 13, 2013 at 7:12 pm #

      I have forwarded the article to Mozilla, waiting for a response.

      • AM97 January 17, 2014 at 12:29 am #

        I've been reporting these addons for months Martin, Mozilla never reply :(

  16. Prince January 13, 2013 at 6:51 pm #

    Quick one, what key is the one to disable it and does it really disable the sending, or just placebo?

    • Martin Brinkmann January 13, 2013 at 7:05 pm #

      It is the highlighted preference that you see on the second screenshot. I only tested it a couple of minutes and it seems to have stopped the sending in that time.

  17. berttie January 13, 2013 at 10:36 pm #

    @ Prince

    To be doubly sure, block Wips' IP, 88.86.125.12, in your firewall.

  18. Nebulus January 14, 2013 at 12:22 am #

    Be aware that sometimes blocking a single IP is not enough, because the IP used by WIPS can change in the future. If I would use AutoCopy, I would uninstall it completely, because you will never know what data the next version will send home...

  19. Nebulus January 14, 2013 at 12:37 am #

    Martin, it appears that AutoCopy sends some data once after installation (a user guid, version number, extension ID, project ID and state), and after that is stops. It could have a timer though and call home again at a later time, but I didn't run it long enough to see that.

  20. what2do? January 14, 2013 at 2:47 am #

    EXCELLENT report, Martin!!
    I have just UNinstalled the "gPDF" extension from my FF,
    (another WIPS "property").

    but.... I'm still using the Autocopy OLD version: 1.02.

    2 Qs:
    Q1) Is AutoCopy version 1.02 safe?
    (It's dated * before the original author *,sold it to the evil WIPS empire ...).

    Q2) How can I check (simply....),
    that this OLD version 1.02 of Autocopy,
    is not "phoning home"?

    Martin,,,I see that you used a pgm. called "CurrPorts"
    in the research of this post.

    A simple, stepXstep tutorial on "CurrPorts"
    on how to monitor the "calling home" behavior,
    would be a perfect complement to this great article...

    Thanks!

  21. Billabonga January 14, 2013 at 4:26 am #

    What about add-ons like Ghostery? It supposedly blocks tracking cookies from aggressive tracking sites. But, in the process, surely it monitors all sites visited with the browser. Would Ghostery be providing all of my browising habits to the owner?

  22. Pablo January 14, 2013 at 6:37 am #

    WOW! Just wow! Thanks for the heads up, Martin. Great article, great research.
    I think this case may set some sort of precedence at Mozilla Add-ons. Please keep us informed about the eventual outcome.

    As a side note, I've just submitted a couple of reviews at the pages of two other Wips.com add-ons ("Handy Maps" and "Fasterfox Lite"), warning potential users about the spyware-like behavior of that company.

  23. Ken Saunders January 14, 2013 at 8:00 am #

    Very well done Martin.
    These are important issues that end users should be made aware of and since you are the first to write about it, hopefully others will follow your lead on this and write about it too.

    As far as Mozilla, transparency is important to them and the fact that a user's data is their own and they should have full control of it is also very important to them.
    Any add-ons that collects/transmits any information is supposed to include a privacy policy. It's the first section of the developer agreement.

    Developer Agreement:
    "1. Responsibility for AMO Contributions. You represent and warrant that:

    if any information about the user or usage of the AMO Contribution is collected or transmitted outside of the user's computer, the details of this collection will be provided in the description of the AMO Contribution and you will provide a link to a privacy policy detailing how the information is managed and protected; "
    An AMO Contribution is any add-on uploaded to the add-ons site.

    What's important here is that it's up to end users to take the time to actually read privacy policies and any EULA no matter what they installing or where it's from.

    About the change of hands in ownership. Well, that's tough, and it's also tough if a developer decides to monetize their add-on on their own.

    A few years ago a theme developer did just that and after an update, I noticed that Ask bookmarks, search, and other things were suddenly added to my Firefox. It took time to pin down where that all came from and since it was through an automatic update and updates can include anything and without warning, how was I to know.

    To avoid things like this, a user can disable auto-updates for add-ons and when they do a manual check and see that there are updates available, they can read the release/version notes on the add-on' page before updating.
    That can be time consuming and a pain in the butt, but if a user cares about what goes into their computer and more so out of it, they'll take the time to do it.

    I'm not sure what Mozilla could do if anything at all to have users notified when ownership of an add-on changes hands especially with automatic add-on updates. There should be something, because we try to trust what we add to our computers and trust must be earned, or we at least need to read why we should trust an add-on's developer and when a company buys an add-on, they're buying the trust that was established between the developer and user.

    If I had any ideas, I'd file a bug.

    Thanks for looking out for us all and the excellent journalism.
    It's a rarity nowadays especially with tech sites.

  24. ilev January 14, 2013 at 8:37 pm #

    Martin, thanks for a great article.

  25. nero January 14, 2013 at 9:07 pm #

    I too have (now had) this extensión installed. Apparently we can still have this functionality due to a built in variable in FF.

    http://en.kioskea.net/faq/14653-firefox-enable-the-clipboard-autocopy-feature

  26. nero January 14, 2013 at 9:10 pm #

    I'm using AutoCopy2 I just realized and it doesn't have this behavior..must be unrelated.

  27. s95 January 14, 2013 at 9:45 pm #

    @Nero: the kioskea solution works,
    but ONLY in FF under Linux (not in WIN).

    There are many AHK scripts to AutoCopy available,
    but none work reliably to copy text/images from a web page -
    by just simply "selecting" the text/images...,
    (w/o having to press any additional kbd. or mouse keys).

    Wish somebody came up with an AHK script.
    Well, I guess the challenge has been launched :-)
    AHK enthusiasts out there? DONATION Coder mavericks?
    You are being called !

  28. nero January 14, 2013 at 10:15 pm #

    Unfortunately I didn't notice that until I tried it.

    Still, AutoCopy2 is free and clear of wips, and I'm still happily using it *whew*

  29. gee3hacker January 15, 2013 at 8:14 am #

    Yes, this is the whole reason why AutoCopy 2 was made:
    https://addons.mozilla.org/en-US/firefox/addon/autocopy-2/

    Something similar happened to QuickDrag:
    https://addons.mozilla.org/en-US/firefox/addon/quickdrag/

    Version 2.1.3.23 added a completely useless and invasive "Enable Marketing" option. You can disable this function, BUT IT SILENTLY RE-ENABLES ITSELF SEVERAL DAYS LATER!! Very sneaky. Downgrading to 2.1.3.21 completely removes said Enable Marketing option. Version 2.1.3.23 says it adds "7.0 compatibility" but version 2.1.3.21 works just fine in Pale Moon 15.3.2.

    I will not upgrade QuickDrag any longer and will look for a better alternative if and when QuickDrag becomes unusable, which I hope never happens since its "drag an image to save it" is so useful I cannot browse without it. I pity anyone who still does the same "right-click>save as" routine. Never going back to that, ever.

  30. nero January 15, 2013 at 12:00 pm #

    another one that I'm using :(

  31. Transcontinental January 15, 2013 at 12:34 pm #

    Acknowledging this most valuable article a bit lately.
    I admit I hadn't taken the full dimension of the complexity : water-proof can be a concept only sometimes.
    Thanks Martin for a detailed article as always.
    I'll be aware from now on that there can be a gap between the official acceptance/validity of an add-on and it's true face revealed over time, and that checking possible connections established by a new add-on is a good practice.

  32. Caspy7 January 16, 2014 at 10:51 pm #

    I'm curious, is the story any different with Chrome and its extension store?

  33. AM97 January 17, 2014 at 12:36 am #

    I hope you get somewhere with this Martin.

    I've been reporting various addons to Mozilla for months for exactly this type of behavior. Unfortunately Mozilla have never responded.

    It seems (sadly) that "Reviewed by Mozilla" doesn't mean much at all. The only safe way to use Addons in Firefox is to go through the code yourself.

  34. Bud February 5, 2015 at 9:58 pm #

    Does anyone know what to remove or comment out in the Autocopy extension to prevent it from collecting stats and connecting to wips? I've tried Autocopy 2 and it doesn't work nearly as well as the original.

Leave a Reply