How companies take advantage of Mozilla's Addon repository
Mozilla's Addon repository is one of the backbones of the Firefox web browser, Thunderbird email client and various other programs based on the same core. Users can download and install add-ons with just a few clicks to benefit from new or modified features they make available in the installed program.
Add-ons are reviewed by Mozilla before they are added to the repository on the site, and while many may think that these reviews are thorough enough to keep illegitimate add-ons out, it may not always be the case.
What would you say if I told you that companies buy add-ons from developers to make a profit? You'd probably ask how they'd make a profit from these add-ons and I'd reply to you that they monitor what you do on the Internet.
While this may sound like fiction let me reassure you that it is not. Take the Autocopy extension as an example. It is a popular extension with more than 57k active users at the time of writing and 481 user reviews and an overall star rating of four stars out of five.
When you look at the most recent comments you will notice that they are all rating the add-on with one star, the lowest rating available.
What do the reviewers complain about? According to them, the extension is sending information to a server on every page visit.
Besides providing auto copying, this add-on sends info to stats.wips.com about EVERY page you visit and how long you stay there. Highly NOT recommended!
We need to go back to the beginning for a short moment before we dive into this again. The AutoCopy extension was purchased by Wips recently from its former author who confirmed that to me in an email. So, the extension ownership changed hands and what seems to have happened thereafter is that the company added the "phone home" feature to the add-on.
The company responded to several user reviews confirming the ownership change as well and that the extension was sending statistics to company servers.
Hi,there is no need to worry, we provide this add-on for free without any spyware, spam or advertising.
You can turn the stats off in the options.
I contacted the company to find out more about this. Lukas Marek, the company CEO told me that the extension was not sending any browsing data- but did so in the past - and that the connections that are still made by the extension are for analytical purposes only.
What I can confirm is that the extension is still contacting servers on every page load of the browser.
If you look into the about:config dialog you will find several stat related parameters including a client ID (likely unique identifier) and options to disable the sending of permissions.
When you look at the privacy policy on the Wips website you will notice a chapter about information it collects from the extension service.
In addition, for every Web page you view while using the Extension Service, the Wips.com software transmits and stores your IP address, which may include a domain name, the full URL of the Web page you are visiting, general information about your browser; general information about your computer's operating system; your Wips.com cookie number or other identifying alphanumerical information enabling Wips.com to identify your computer; and the date and time the above information is logged.
Autocopy is not the only extension the company seems to have bought. It is now listed as the owner of eleven add-ons including BlockSite, an add-on used by more than 210,000 users and Fasterfox Lite, used by more than 115,000 users.
When you try to install Fasterfox Lite you are taken to an intermediary page where you need to accept the end user license agreement before you continue. A note at the beginning states that the company collects and stores information about web pages that users visit and that this may in some cases include personally identifiable information.
WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE, BUT PRIVACY IS IMPORTANT AT WIPS.COM, AND WE DO NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY WIPS.COM USER.
I tried to get a better understanding about ownership changes. A Mozilla representative confirmed that "no interaction with Mozilla representatives is necessary for a transfer of ownership" and that a change is not highlighted anywhere on the Mozilla website.
All add-on updates or new versions are reviewed by Mozilla on the other hand which is certainly reassuring. It is still not clear why new versions of the extension were approved by Mozilla since they phone home and at least one, Autocopy, does not mention that anywhere on the add-ons page.
So, what can you do to protect yourself from this practice? Not much it seems. While you could dive into the code of the extension it is not really something that the majority of users can and want to do. The only other option to find out about a built-in phone home feature is to install the extension and monitor the browser's connections afterwards.
Update: Statement from Mozilla
It appears you tested Version 1.0.8 of AutoCopy. This version is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic.
After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and what the majority of users have installed.
Advertisement
Doesn’t Windows 8 know that www. or http:// are passe ?
Well it is a bit difficulty to distinguish between name.com domains and files for instance.
I know a service made by google that is similar to Google bookmarks.
http://www.google.com/saved
@Ashwin–Thankful you delighted my comment; who knows how many “gamers” would have disagreed!
@Martin
The comments section under this very article (3 comments) is identical to the comments section found under the following article:
https://www.ghacks.net/2023/08/15/netflix-is-testing-game-streaming-on-tvs-and-computers/
Not sure what the issue is, but have seen this issue under some other articles recently but did not report it back then.
Omg a badge!!!
Some tangible reward lmao.
It sucks that redditors are going to love the fuck out of it too.
With the cloud, there is no such thing as unlimited storage or privacy. Stop relying on these tech scums. Purchase your own hardware and develop your own solutions.
This is a certified reddit cringe moment. Hilarious how the article’s author tries to dress it up like it’s anything more than a png for doing the reddit corporation’s moderation work for free (or for bribes from companies and political groups)
Almost al unlmited services have a real limit.
And this comment is written on the dropbox article from August 25, 2023.
First comment > @ilev said on August 4, 2012 at 7:53 pm
For the God’s sake, fix the comments soon please! :[
Yes. Please. Fix the comments.
With Google Chrome, it’s only been 1,500 for some time now.
Anyone who wants to force me in such a way into buying something that I can get elsewhere for free will certainly never see a single dime from my side. I don’t even know how stupid their marketing department is to impose these limits on users instead of offering a valuable product to the paying faction. But they don’t. Even if you pay, you get something that is also available for free elsewhere.
The algorithm has also become less and less savvy in terms of e.g. English/German translations. It used to be that the bot could sort of sense what you were trying to say and put it into different colloquialisms, which was even fun because it was like, “I know what you’re trying to say here, how about…” Now it’s in parts too stupid to translate the simplest sentences correctly, and the suggestions it makes are at times as moronic as those made by Google Translations.
If this is a deep-learning AI that learns from users’ translations and the phrases they choose most often – which, by the way, is a valuable, moneys worthwhile contribution of every free user to this project: They invest their time and texts, thereby providing the necessary data for the AI to do the thing as nicely as they brag about it in the first place – alas, the more unprofessional users discovered the translator, the worse the language of this deep-learning bot has become, the greater the aggregate of linguistically illiterate users has become, and the worse the language of this deep-learning bot has become, as it now learns the drivel of every Tom, Dick and Harry out there, which is why I now get their Mickey Mouse language as suggestions: the inane language of people who can barely spell the alphabet, it seems.
And as a thank you for our time and effort in helping them and their AI learn, they’ve lowered the limit from what was once 5,000 to now 1,500…? A big “fuck off” from here for that! Not a brass farthing from me for this attitude and behaviour, not in a hundred years.