Mozilla removes FVD Video Downloader extension from its add-ons store
The FVD Video Downloader is no longer available on Mozilla's add-on repository. Some Firefox users had complained that the add-on was redirecting them to a malicious page.
Mozilla bans the FVD Video Downloader extension
The issue came to light yesterday, when a user reported that Firefox kept redirecting them to a tracking site called "CDNSURE". They were perplexed by the issue, had tried troubleshooting it, from clearing cookies and the cache, and even going to the extent of deleting Firefox's folders. They explained that the browser would load web pages, but after a few seconds would redirect them to the questionable site. The user eventually figured out the cause of the problem, an add-on called FVD Video Downloader. Once they disabled the add-on, the browser worked normally. A few others chimed in, saying they were facing the same problem, and that removing the add-on solved their issue.
Image credit: Mozilla support forums
The add-on seems to be unrelated to FVD Speed Dial, which coincidentally was also banned by Mozilla. Maybe Mozilla doesn't like those initials, eh?
Jokes aside, I wanted to learn more about the add-on, since I had never used it. I managed to access a Google cached version of the FVD Video Downloader add-on's page. The developer's name is FV Video, you can take a look at the add-ons's icon in the screenshot. I couldn't find it on the Chrome web store, but there were 3 or 4 extensions named Flash Video Downloader, including one that has an icon which looks similar to an add-on that was found to inject ads on websites a few years ago.
FVD Video Downloader's last version was 1.32, and it was updated on January 16th, 2019. That's odd, isn't it? How could an outdated add-on suddenly start acting weird? Perhaps something changed in the backend, maybe the servers used to trigger the download were being redirected to the malicious domain? That should be enough for banning the extension, as it would clearly be a violation of the terms and conditions set by the AMO.
Is Mozilla striking add-on developers unfairly with its banhammer?
Some users on reddit were discussing how Mozilla has been silently removing extensions recently. An add-on called Age Restriction Bypass for YouTube, suffered the same fate. The plugin's developer has mentioned that the extension was also removed from the Edge add-ons store for violating their terms of service, well at least here we know that there was a clear breach of the rules. You may use the add-on's functionality by installing a user script using Violentmonkey or a similar extension (FYI: Tampermonkey is no longer open source).
The BlockTube extension has also been removed from Mozilla's add-on repository. Its developer explained that the reason given for the add-on's removal was because it contains "minified, concatenated or otherwise machine-generated code". It was related to the eval function which the add-on was using for blocking content on YouTube. That is literally what the extension is designed to do, to block and filter content. The compressed text editor code was replaced, and the add-on was submitted for review, but Mozilla rejected it again for using the eval function. The add-on developer has resubmitted their extension for review after making some more changes to the code.
Update: The BlockTube extension is available again. End
According to a comment by Juraj Mäsiar, the developer of Group Speed Dial, Mozilla gives a 14-day grace period for add-on developers to fix issues with their extension, failing which results in automatic removal of the plugin from the add-on store. He also pointed out that many developers have complained about Mozilla's add-on review process. Even popular apps like 1Password were not spared from this drama, well at least the reviewers are treating everyone equally.
Update: Juraj has posted a detailed analysis of FVD Video Downloader on reddit. It turns out that the add-on uses obfuscated code for various purposes such as creating a secret iframe injection, including potentially loading third-party iframes, and may even be used to execute malicious commands remotely.He also discovered a couple of other malicious add-ons that are hosted on Mozilla's AMO. The first extension is called Ummy Video Downloader. The former has the same source code as FVD Video Downloader, and even uses the same secret frame injection. and has obfuscated code for creating and loading 3rd party iframes. The other add-on is Video Downloader Professional. It's also called Video Downloader Ummy and was originally named FLV Video Downloader, which he says is definitely malicious. End
Removing malicious add-ons is a good thing, it has to be done to keep users safe, but Mozilla needs to be transparent and explain why an extension was delisted. This seems eerily similar to how Google bans apps from its Play Store. Good extensions have to pay the price sometimes. The recent ByPass Paywalls Clean issue is another example of this. Mozilla never revealed the reason for banning the plugin, but the developer confirmed it was due to a DMCA notice, which we had speculated. They also said that the add-on would not return to Mozilla's store again. You may install a signed version of it from the project's GitLab page.
Let's get back to FVD Speed Dial's removal, the add-on's page clearly states the reason behind the ban. Why not do the same for all extensions?Advertisement