Mozilla needs a new audit process in regards to add-on ownership changes
Back in January 2013 I started to investigate a matter about ownership changes on Mozilla's Add-on repository where a company offered add-on developers money to take over their projects.
In this case, the company managed to buy high profile add-ons such as Fasterfox Lite, BlockSite or AutoCopy from developers. Shortly thereafter new versions of these extensions were uploaded to the repository.
These like all other add-on updates are checked by Mozilla and even though they did contain routines to send anonymous usage data to company servers, passed the inspection and where accepted.
Firefox users quickly started to award one star ratings to these add-ons but it does not seem to have changed the overall popularity of the extension thanks to the high ratings it received prior to the ownership change.
Some user comments on Mozilla:
I have to leave this add-on because of the automatic non-removable spying and tracking. This add-on used to be really good: technically it still is, however I cannot tolerate the tracking and spying, as I am pretty sure that they are selling the information... Sorry.   Beware!!! This is a SPYWARE add-on, that now belongs to a company named Wips.com. DO NOT INSTALL this add-on, it sends that company information about every web page you visit.
It is clearly stated on their privacy policy, although sadly few people care to read that: "WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE"
The company is not the only one though that is acquiring add-ons from developers. A recent discussion on the German Camp Firefox forum highlights another developer that seems to do the same thing. This time though it seems to integrate adware into the extensions.
As the others reviews indicate it, since its version 1.5.3 or earlier, this addon injects ads in webpages that use jquery. This is done without the user consent, which shouldn't be tolerated by Mozilla.This addon seems to infrige at least two addons policies.
If I could give Quick Locale Switcher ZERO stars I would. If you don't believe me that this add-on installs nasty ADWARE on to your computer just read their Privacy Policy. Click the link right beside the install button. They disclose the adware in the privacy policy. It's called WizeShoppy and it's nasty stuff. You've been warned.
Some of the extensions are again high profile extensions like IE View, FabTabs or Quick Locale Switcher, with thousands of users each.
Mozilla seems to have removed some versions of IE View that the new company uploaded, but has not touched the other extensions yet. In the case of IE View, it seems to have been reset to version 1.5.1 the last version that the original developer uploaded. You can still grab the four newer versions that the developer added to the add-ons repository though under version history.
The current review or audit process seems inadequate to deal with ownership changes. While Mozilla can't do anything about changes of ownership - and should not - it may be a good idea to look more closely at the first versions that are released after ownership changes.
I do not have any insight into the review process, but find it puzzling that add-ons pass the review when the policies state that add-ons are prohibited under the following circumstance:
- Add-ons that make changes to web content in ways that are non-obvious or difficult to trace by their users
- Whenever an add-on includes any unexpected* feature that compromises user privacy or security (like sending data to third parties) the features must adhere to the following requirements:Â All changes must be opt-in, meaning the user must take non-default action to enact the change.
Those add-ons clearly break those policies.
Advertisement
1) Will I still be tracked if I run Firefox inside Sandboxie? I fear the answer is Yes.
2) Is there a frequently updated list of add-ons that compromise privacy?
3) Do any other browsers have better protection?
1. Yes, you will be tracked, but not across sessions likely, unless the add-on uses unique identifiers to identify users.
2. No there is no such thing.
3. No it is unlikely that they do.
The WizeShoppy crapware has been added to the “Copy Link Name” addon:
https://addons.mozilla.org/en-US/firefox/addon/copy-link-name/versions/
I’ve disabled updates for this addon, as a precaution.
Perhaps a simple solution is an addon until mozilla addresses the issue, an addon or userscript that can block and filter addons and developers from the mozilla website and also scan incoming addon installations and warn users with an option to block, disable or in the unlikely situation choose to still install the addon.
Its sad that we have to go to such measures but at this stage it looks like it is a necessary step to avoid falling victim to these unscrupulous developers.
I do agree that the more current ratings should hold more weight when it comes to addons.
Thanks for the heads up RE IE View. A comment indicated the new developer said you can disable the shopping comparison option on the last tab of the options page; but does this disable the alleged tracking?
Interesting that v1.5.1 is there now, and you do not have to remove 1.5.5 first – just click install on the addons page and the down-level v1.5.1 installs in place of the newer version.
BUT, it seems you have to do this manually – I updated my addons yesterday thru the FF addons page and IE View v1.5.5 was not replaced with v1.5.1 then.
I thought I saw no-script indicated superfish.com a few weeks back.Goofed up logging into FacePage too a couple times. Did a quick search indicated some other IETab addon. I promptly uninstalled it.
You probably noticed that the add-ons that you mention are from the same company/user.
ppclick
http://www.ppclick.com/ (coming soon)
https://addons.mozilla.org/en-US/firefox/user/6636647/
I’ve removed FabTabs from my site.
Thanks for the post and for continuing to keep your reader’s best interest in mind.
Fasterfox Lite is adware now? Crap! Thanks for the warning. :/
http://www.antoniorinaldi.it/ossimoro-3/
Just a word for the fun.
We all know Virustotal.com, and we know it’s been acquired by Google. Virustotal has since included Webutation in its domain characterization dataset ( http://blog.virustotal.com/2012/09/virustotal-webutation.html ). Good.
Webutation had and has updated the add-on ‘Webutation – Reputation & Security’ ( https://addons.mozilla.org/en-US/firefox/addon/webutation-reputation-security/ ) version 2.04 a this time. Looks nice. One problem though : no privacy policy. That means the add-on has not to justify — if applicable — the fact of following every page the user visits, as the add-on’s purpose is to deliver automatically (no user input) the rating of visited pages.
This add-on is not malware but it is questionable because of lack of privacy policy. Let’s not forget that add-on intrusion operates the way intelligence loves it, that is smoothly, with no harm, dedicated to the protection of the honest citizens.
Addons should show the average star rating from the last month in both the online addon list and in the addon manager. As Firefox updates addons automatically without telling users, this would be a great way for users to gauge when something fishy is being reported by the community.
Maybe spy add-on (‘s) could be colored coded like red.
Cold War is over. Officially :)
Invisible, transparent color coded would be adequate for a spy add-on!
Martin, I agree 100% with you.
In fact, I’m the author of one of the comments that you quoted. I posted the comment to warn potential users of that add-on about the sneaky adware features that had recently been introduced in the add-on’s code. I also have to thank you because I became aware of this problem with add-ons precisely by reading your previous article on the subject.