How companies take advantage of Mozilla's Addon repository
Mozilla's Addon repository is one of the backbones of the Firefox web browser, Thunderbird email client and various other programs based on the same core. Users can download and install add-ons with just a few clicks to benefit from new or modified features they make available in the installed program.
Add-ons are reviewed by Mozilla before they are added to the repository on the site, and while many may think that these reviews are thorough enough to keep illegitimate add-ons out, it may not always be the case.
What would you say if I told you that companies buy add-ons from developers to make a profit? You'd probably ask how they'd make a profit from these add-ons and I'd reply to you that they monitor what you do on the Internet.
While this may sound like fiction let me reassure you that it is not. Take the Autocopy extension as an example. It is a popular extension with more than 57k active users at the time of writing and 481 user reviews and an overall star rating of four stars out of five.
When you look at the most recent comments you will notice that they are all rating the add-on with one star, the lowest rating available.
What do the reviewers complain about? According to them, the extension is sending information to a server on every page visit.
Besides providing auto copying, this add-on sends info to stats.wips.com about EVERY page you visit and how long you stay there. Highly NOT recommended!
We need to go back to the beginning for a short moment before we dive into this again. The AutoCopy extension was purchased by Wips recently from its former author who confirmed that to me in an email. So, the extension ownership changed hands and what seems to have happened thereafter is that the company added the "phone home" feature to the add-on.
The company responded to several user reviews confirming the ownership change as well and that the extension was sending statistics to company servers.
Hi,there is no need to worry, we provide this add-on for free without any spyware, spam or advertising.
You can turn the stats off in the options.
I contacted the company to find out more about this. Lukas Marek, the company CEO told me that the extension was not sending any browsing data- but did so in the past - and that the connections that are still made by the extension are for analytical purposes only.
What I can confirm is that the extension is still contacting servers on every page load of the browser.
If you look into the about:config dialog you will find several stat related parameters including a client ID (likely unique identifier) and options to disable the sending of permissions.
When you look at the privacy policy on the Wips website you will notice a chapter about information it collects from the extension service.
In addition, for every Web page you view while using the Extension Service, the Wips.com software transmits and stores your IP address, which may include a domain name, the full URL of the Web page you are visiting, general information about your browser; general information about your computer's operating system; your Wips.com cookie number or other identifying alphanumerical information enabling Wips.com to identify your computer; and the date and time the above information is logged.
Autocopy is not the only extension the company seems to have bought. It is now listed as the owner of eleven add-ons including BlockSite, an add-on used by more than 210,000 users and Fasterfox Lite, used by more than 115,000 users.
When you try to install Fasterfox Lite you are taken to an intermediary page where you need to accept the end user license agreement before you continue. A note at the beginning states that the company collects and stores information about web pages that users visit and that this may in some cases include personally identifiable information.
WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE, BUT PRIVACY IS IMPORTANT AT WIPS.COM, AND WE DO NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY WIPS.COM USER.
I tried to get a better understanding about ownership changes. A Mozilla representative confirmed that "no interaction with Mozilla representatives is necessary for a transfer of ownership" and that a change is not highlighted anywhere on the Mozilla website.
All add-on updates or new versions are reviewed by Mozilla on the other hand which is certainly reassuring. It is still not clear why new versions of the extension were approved by Mozilla since they phone home and at least one, Autocopy, does not mention that anywhere on the add-ons page.
So, what can you do to protect yourself from this practice? Not much it seems. While you could dive into the code of the extension it is not really something that the majority of users can and want to do. The only other option to find out about a built-in phone home feature is to install the extension and monitor the browser's connections afterwards.
Update: Statement from Mozilla
It appears you tested Version 1.0.8 of AutoCopy. This version is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic.
After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and what the majority of users have installed.
Advertisement
Does anyone know what to remove or comment out in the Autocopy extension to prevent it from collecting stats and connecting to wips? I’ve tried Autocopy 2 and it doesn’t work nearly as well as the original.
I hope you get somewhere with this Martin.
I’ve been reporting various addons to Mozilla for months for exactly this type of behavior. Unfortunately Mozilla have never responded.
It seems (sadly) that “Reviewed by Mozilla” doesn’t mean much at all. The only safe way to use Addons in Firefox is to go through the code yourself.
I’m curious, is the story any different with Chrome and its extension store?
No, it is the same there right now. See this example for instance: http://www.labnol.org/internet/sold-chrome-extension/28377/
Indeed. Ars also did a more in depth article on this very topic for Chrome which included that story.
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/
I suppose the one difference between the two is that automatic updates *can* be disabled in Firefox.
I do not know if this is still the case, but in the past, only fully reviewed add-ons were allowed to auto-update. Can’t really say if this holds true still.
I don’t know. Why don’t you go and find out, and then write a blog presenting your findings?
Acknowledging this most valuable article a bit lately.
I admit I hadn’t taken the full dimension of the complexity : water-proof can be a concept only sometimes.
Thanks Martin for a detailed article as always.
I’ll be aware from now on that there can be a gap between the official acceptance/validity of an add-on and it’s true face revealed over time, and that checking possible connections established by a new add-on is a good practice.
another one that I’m using :(
Yes, this is the whole reason why AutoCopy 2 was made:
https://addons.mozilla.org/en-US/firefox/addon/autocopy-2/
Something similar happened to QuickDrag:
https://addons.mozilla.org/en-US/firefox/addon/quickdrag/
Version 2.1.3.23 added a completely useless and invasive “Enable Marketing” option. You can disable this function, BUT IT SILENTLY RE-ENABLES ITSELF SEVERAL DAYS LATER!! Very sneaky. Downgrading to 2.1.3.21 completely removes said Enable Marketing option. Version 2.1.3.23 says it adds “7.0 compatibility” but version 2.1.3.21 works just fine in Pale Moon 15.3.2.
I will not upgrade QuickDrag any longer and will look for a better alternative if and when QuickDrag becomes unusable, which I hope never happens since its “drag an image to save it” is so useful I cannot browse without it. I pity anyone who still does the same “right-click>save as” routine. Never going back to that, ever.
Unfortunately I didn’t notice that until I tried it.
Still, AutoCopy2 is free and clear of wips, and I’m still happily using it *whew*
@Nero: the kioskea solution works,
but ONLY in FF under Linux (not in WIN).
There are many AHK scripts to AutoCopy available,
but none work reliably to copy text/images from a web page –
by just simply “selecting” the text/images…,
(w/o having to press any additional kbd. or mouse keys).
Wish somebody came up with an AHK script.
Well, I guess the challenge has been launched :-)
AHK enthusiasts out there? DONATION Coder mavericks?
You are being called !
I’m using AutoCopy2 I just realized and it doesn’t have this behavior..must be unrelated.
I too have (now had) this extensión installed. Apparently we can still have this functionality due to a built in variable in FF.
http://en.kioskea.net/faq/14653-firefox-enable-the-clipboard-autocopy-feature
Martin, thanks for a great article.
Very well done Martin.
These are important issues that end users should be made aware of and since you are the first to write about it, hopefully others will follow your lead on this and write about it too.
As far as Mozilla, transparency is important to them and the fact that a user’s data is their own and they should have full control of it is also very important to them.
Any add-ons that collects/transmits any information is supposed to include a privacy policy. It’s the first section of the developer agreement.
Developer Agreement:
“1. Responsibility for AMO Contributions. You represent and warrant that:
if any information about the user or usage of the AMO Contribution is collected or transmitted outside of the user’s computer, the details of this collection will be provided in the description of the AMO Contribution and you will provide a link to a privacy policy detailing how the information is managed and protected; ”
An AMO Contribution is any add-on uploaded to the add-ons site.
What’s important here is that it’s up to end users to take the time to actually read privacy policies and any EULA no matter what they installing or where it’s from.
About the change of hands in ownership. Well, that’s tough, and it’s also tough if a developer decides to monetize their add-on on their own.
A few years ago a theme developer did just that and after an update, I noticed that Ask bookmarks, search, and other things were suddenly added to my Firefox. It took time to pin down where that all came from and since it was through an automatic update and updates can include anything and without warning, how was I to know.
To avoid things like this, a user can disable auto-updates for add-ons and when they do a manual check and see that there are updates available, they can read the release/version notes on the add-on’ page before updating.
That can be time consuming and a pain in the butt, but if a user cares about what goes into their computer and more so out of it, they’ll take the time to do it.
I’m not sure what Mozilla could do if anything at all to have users notified when ownership of an add-on changes hands especially with automatic add-on updates. There should be something, because we try to trust what we add to our computers and trust must be earned, or we at least need to read why we should trust an add-on’s developer and when a company buys an add-on, they’re buying the trust that was established between the developer and user.
If I had any ideas, I’d file a bug.
Thanks for looking out for us all and the excellent journalism.
It’s a rarity nowadays especially with tech sites.
WOW! Just wow! Thanks for the heads up, Martin. Great article, great research.
I think this case may set some sort of precedence at Mozilla Add-ons. Please keep us informed about the eventual outcome.
As a side note, I’ve just submitted a couple of reviews at the pages of two other Wips.com add-ons (“Handy Maps” and “Fasterfox Lite”), warning potential users about the spyware-like behavior of that company.
What about add-ons like Ghostery? It supposedly blocks tracking cookies from aggressive tracking sites. But, in the process, surely it monitors all sites visited with the browser. Would Ghostery be providing all of my browising habits to the owner?
EXCELLENT report, Martin!!
I have just UNinstalled the “gPDF” extension from my FF,
(another WIPS “property”).
but…. I’m still using the Autocopy OLD version: 1.02.
2 Qs:
Q1) Is AutoCopy version 1.02 safe?
(It’s dated * before the original author *,sold it to the evil WIPS empire …).
Q2) How can I check (simply….),
that this OLD version 1.02 of Autocopy,
is not “phoning home”?
Martin,,,I see that you used a pgm. called “CurrPorts”
in the research of this post.
A simple, stepXstep tutorial on “CurrPorts”
on how to monitor the “calling home” behavior,
would be a perfect complement to this great article…
Thanks!
Martin, it appears that AutoCopy sends some data once after installation (a user guid, version number, extension ID, project ID and state), and after that is stops. It could have a timer though and call home again at a later time, but I didn’t run it long enough to see that.
Be aware that sometimes blocking a single IP is not enough, because the IP used by WIPS can change in the future. If I would use AutoCopy, I would uninstall it completely, because you will never know what data the next version will send home…
@ Prince
To be doubly sure, block Wips’ IP, 88.86.125.12, in your firewall.
Quick one, what key is the one to disable it and does it really disable the sending, or just placebo?
It is the highlighted preference that you see on the second screenshot. I only tested it a couple of minutes and it seems to have stopped the sending in that time.
Shouldn’t Mozilla warn the users in Add-On page about this or even remove it from their repository?
Martin, could you push forward to get an official response from Mozilla if they have any intention to resolve such issues?
I have forwarded the article to Mozilla, waiting for a response.
I’ve been reporting these addons for months Martin, Mozilla never reply :(
Thanks Martin !
Kindly inform what about the Ad-block Plus, Ghostery & Donot Track me Add-ons ? Will they Do also send data to back ???
wow…. removed autocopy. thanks Martin
I just checked AutoCopy and I found out that they are sending the data over SSL. So there is no immediate way to see what kind of data are they sending.
An important article, Martin. Well done.
> the full URL of the Web page you are visiting
The critical thing here is the metadata. It’s nothing for these people to gain a bit of info here, and a bit more there, to put together the puzzle very rapidly. Say someone visits a certain facebook page often and stays there long. Facebook’s policy is to require actual names.The math is pretty easy.
This is one reason I appreciate Opera, which exercises tight control of the extensions it offers. As far as I know, Opera has a long record of respecting privacy.
One thing one can do if they absolutely need these extensions is block the home site via the hosts file or some other means. But of course, 98% of users are not going to do that, and few will ever even know a problem exists. Mozilla really should have been doing a lot more to protect their users. Is there profit in it for them for commercial extensions?
I was looking around some of my devices to see how much affect Wips.com might have on my life and what I found on my Apple Itouch was very enlightening. I found that Apple offers and highly recommends several Wips.com apps.
I guess Apple knows a money maker when they see one!
Thanks for the information, Martin! The article is very informative and raises an interesting problem about trust. It seems that trusting an application, a firm or a developer once is not enough anymore; a constant check is needed now, and I’m afraid that not everyone will be aware (or able) to do that…
Great article Martin!
But we must keep in mind that the “Consumer is King”! I just went to Wips.com and checked to see what extensions they own. I then went to my extensions in FF and Chrome and made certain that I didn’t have any of their extensions and add-on’s installed on my computer. I did not. The point of this message is that we the consumer can control these companies. If the word gets out to enough people and people stop using ANY add-on’s owned by Wips.com, it won’t be long before Wips.com folds up. Granted they will probably change the name of their company and start right back up, (or already have ownership through different names). But fortunately there are people like You and Ghacks technology to help keep us informed!
Thanks Martin!
Martin, what data do the add-ons send in the picture? Have you checked it with Wireshark?
I only checked it briefly and the data was not transferred in clear text.
I agree with Mike’s & TheRube’s comments.
Excellent article Martin. This kind of journalism and original content creation is what sets you apart from all the other tech re-bloggers out there.
Keep up the good work.
Not cool. Thanks for the heads up, Martin.
Not cool.
Indeed!
Mike. I agree with your comment – – 100%!
Thank You,
TR
This is a beautifully informative article that highlights the constant dilemma of whether certain internet practices are ethically acceptable or not. I have sympathy for Mozilla, who I am sure do their utmost to ensure that addons are non-intrusive. Ultimately, companies like wips.com will be policed by users, who will decide whether security lists need to be updated to prevent such “analytical” methods.
Thank you for the excellent research, Martin … much appreciated.
They own Simple Adblock, and another 10 extensions.Including some google Chrome addons.
Fortunately I`dont use any of these extensions.
Thanks for the heads up Martin.