Firefox "security" add-on exposes users' Web browsing history

[ronjor]

Quote:

By Sean Gallagher

A Firefox add-on that gives users the ability to collect information on the IP address, server hostname and other related data for websites they visit also has the added bonus feature of reporting the same information on every site visited to a third-party server, SophosLabs reports. The ShowIP add-on exposes the full Web-browsing history of its users to the add-on's back-end service—and anyone who can intercept the unencrypted packets.

http://arstechnica.com/business/news...ng-history.ars

[Amit]

I'm glad I'm not using anymore.....

[m00nbl00d]

That extension is not alone. It also happens with Google Chrome. I've been in touch with the team behind one such extension, which also works in Firefox by the way. I contacted them may two weeks ago... a bit more, perhaps.

I can say the extension in question provides search engine ratings, plus block access to malicious websites. But, it checks a cloud-based reputation system, and the info is sent over http, not https. Not to mention that it will send full URLs... For instance, if you search for medicine in the search engine... it will send the full search query... even if the search engine itself isn't supported.

If they don't address it soon enough, I'll reveal which extension is, so that they will see themselves forced to fix the issue.

There's also another extension, which only works for Google Chrome, which does track users without their consent; there's no mention at the extension's Chrome Web Store page, official website, nor in the extensions Options. This one blocks ads...

I can say that more than a week later, the extension's developer still refused to explain why he doesn't disclose that information; why he doesn't let his users know about it. I can say the extension is Adblock.

This is part of the code the extension has, in one of its JavaScript files, named stats.js:

Code:

// Allows interaction with the server to track install rate
// and log messages.
STATS = (function() {
  var stats_url = "http://chromeadblock.com/api/stats2.php";

  //Get some information about the version and os
  var version = (function() 

There's a lot more there, but I don't understand most of the JavaScript language, to be honest.

He did send me a reply to my first e-mail, due to some other suggestions I made, but he never answered about why he never made publicly known that such "functionality" is part of the extension.

So... not only we can't trust the bad guys... we also cannot trust the so-called good guys.

[pandorax]

@m00nbl00d, I didn't get it. Do you say adblock is tracking user's web history?

[m00nbl00d]

Quote:

Originally Posted by pandorax

@m00nbl00d, I didn't get it. Do you say adblock is tracking user's web history?

I don't know what it is tracking. You're going to have to ask the developer what information he has been getting. I asked him what is meant by and log messages, and he mentioned it's not used anymore...

Still, the issue is not having this "functionality"; it's rather not letting the user know about it. It's about disclosure - there's none. I actually discovered this, because I do check each and every extension before trying it and/or using it.

At this point, I got no bloody idea about what was/is being logged and sent by the extension to the developer. All I know is that, not disclosing such information to the public is a bit "awkward".

I know that, as far as I'm concerned, I got no trust in this developer and his extension. There's some stats tracking... whatever it tracks..., but no disclosure.

I hope this clarifies a bit what I tried to say about Adblock.

[dw426]

I'm about as knowledgeable of Javascript as you are, but the part you show doesn't look very nefarious. It talks of OS version and the version of itself, plus install rates (which I'll assume is related to extension installs). I'm sure it has to track some web usage in order for the filters to work. How far that goes though, your guess is as good as mine.

The big thing to take away from here is that extensions are yet another hole opened up on a system. Yes, they are fantastic additions to the browsing experience in many cases, and, many security extensions do work properly and do provide an extra layer of help (Noscript is a great example). However, unless you designed the extension yourself, it's often not very easy to determine what else these extensions may be doing, or how they're doing it.

Blind trust is bad no matter who you're dealing with.

Edit: I think before many jump on the "developer is evil" train, we need to understand what exactly is tracked, if anything. Non-disclosure always opens up a can of worms in the privacy/security world, so, unless the guy is getting paid for data collection (which, if he were, and disclosed it, it would probably kill the extension right then and there), he probably should "open up" a bit.

[pandorax]

Quote:

Originally Posted by m00nbl00d

I hope this clarifies a bit what I tried to say about Adblock.

Thanks. Got it

[Hungry Man]

As with all software extensions can be exploited. Security is rarely the priority of a development cycle and it's usually compromised to get the product working/ out the door fast.

The fewer extensions the better.

[siljaline]

Originally reported by Sophos

[siljaline]

As cited here, there are concerns of too many releases too quickly. Security is always a priority regardless of the development cycle.
The sooner bugs are fixed, the faster it can be released to you.

Quote:

Originally Posted by Hungry Man

As with all software extensions can be exploited. Security is rarely the priority of a development cycle and it's usually compromised to get the product working/ out the door fast.

The fewer extensions the better.

Some people use 25 add-ons for more privacy and finally they lose their privacy due to these add-ons That's really funny ...

Quote:

Originally Posted by Hungry Man

The fewer extensions the better.

+1

[dw426]

Quote:

Originally Posted by tpro

Some people use 25 add-ons for more privacy and finally they lose their privacy due to these add-ons That's really funny ...



+1

I can't for the life of me figure out why anyone besides gullible people would think they need 25 add-ons to take care of privacy threats. There's not even that many privacy threats to need all that. They're not just over-lapping insanely, they're begging for something to break.

[Noob]

I've never been a fan of extensions.
That's why i never understood the the "extensions" benefit of Firefox.

[siljaline]

A full list of ad-ons that are currently blocked. If this is of any help.

Quote:

Originally Posted by Noob

I've never been a fan of extensions.
That's why i never understood the the "extensions" benefit of Firefox.

[Daveski17]

Quote:

Originally Posted by siljaline

A full list of ad-ons that are currently blocked. If this is of any help.

Thanks, that's quite interesting. I love my extensions on Fx, after all, that's what Fx is all about in many ways & customisation is a huge 'selling' point. Due to Mozilla's deeply felt need to upgrade every five minutes however, many of these are breaking on SeaMonkey. One of the things I like about Maxthon is that it has virtually everything you need 'out of the box'. In fact, I only have three extensions: Maxthon Flag (like Flagfox) & two mail notifiers (Google/Yahoo!).

[siljaline]

There have been numerous complaint threads on the Forum that Mozilla has been overzealous of late in disabling known add-ons and extensions.
Best best would be to contest whatever add-on and or extensions that you are no longer able to use with the Mozilla Community.

As for alternate Browsers to Mozilla, being an ex MS IE and Security MVP, I could only offer that you use IE 9.

[AMIGA500]

Im a former firefox user myself and i now use comodo dragon.
It has a neat incognito mode but the downside of this is that it disables my two extensions which are WOT and adblock.it also incorparates a website scanner running in real time.Its a really good browser and it faster than firefox.
Ive always found that it is the numerous extensions to firefox that ultimately slow it down.
Regards.

[Chiron]

Quote:

Originally Posted by Beethoven1770

Im a former firefox user myself and i now use comodo dragon.
It has a neat incognito mode but the downside of this is that it disables my two extensions which are WOT and adblock.

You can select the option to run these in incognito if you wish.