Mozilla needs a new audit process in regards to add-on ownership changes
Back in January 2013 I started to investigate a matter about ownership changes on Mozilla's Add-on repository where a company offered add-on developers money to take over their projects.
In this case, the company managed to buy high profile add-ons such as Fasterfox Lite, BlockSite or AutoCopy from developers. Shortly thereafter new versions of these extensions were uploaded to the repository.
These like all other add-on updates are checked by Mozilla and even though they did contain routines to send anonymous usage data to company servers, passed the inspection and where accepted.
Firefox users quickly started to award one star ratings to these add-ons but it does not seem to have changed the overall popularity of the extension thanks to the high ratings it received prior to the ownership change.
Some user comments on Mozilla:
I have to leave this add-on because of the automatic non-removable spying and tracking. This add-on used to be really good: technically it still is, however I cannot tolerate the tracking and spying, as I am pretty sure that they are selling the information... Sorry. Beware!!! This is a SPYWARE add-on, that now belongs to a company named Wips.com. DO NOT INSTALL this add-on, it sends that company information about every web page you visit.
The company is not the only one though that is acquiring add-ons from developers. A recent discussion on the German Camp Firefox forum highlights another developer that seems to do the same thing. This time though it seems to integrate adware into the extensions.
As the others reviews indicate it, since its version 1.5.3 or earlier, this addon injects ads in webpages that use jquery. This is done without the user consent, which shouldn't be tolerated by Mozilla.This addon seems to infrige at least two addons policies.
Some of the extensions are again high profile extensions like IE View, FabTabs or Quick Locale Switcher, with thousands of users each.
Mozilla seems to have removed some versions of IE View that the new company uploaded, but has not touched the other extensions yet. In the case of IE View, it seems to have been reset to version 1.5.1 the last version that the original developer uploaded. You can still grab the four newer versions that the developer added to the add-ons repository though under version history.
The current review or audit process seems inadequate to deal with ownership changes. While Mozilla can't do anything about changes of ownership - and should not - it may be a good idea to look more closely at the first versions that are released after ownership changes.
I do not have any insight into the review process, but find it puzzling that add-ons pass the review when the policies state that add-ons are prohibited under the following circumstance:
- Add-ons that make changes to web content in ways that are non-obvious or difficult to trace by their users
- Whenever an add-on includes any unexpected* feature that compromises user privacy or security (like sending data to third parties) the features must adhere to the following requirements: All changes must be opt-in, meaning the user must take non-default action to enact the change.
Those add-ons clearly break those policies.Advertisement