Firefox "security" add-on exposes users' Web browsing history

Discussion in 'other security issues & news' started by ronjor, May 1, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator
  2. ams963

    ams963 Registered Member

    I'm glad I'm not using anymore.....
  3. m00nbl00d

    m00nbl00d Registered Member

    That extension is not alone. It also happens with Google Chrome. I've been in touch with the team behind one such extension, which also works in Firefox by the way. I contacted them may two weeks ago... a bit more, perhaps.

    I can say the extension in question provides search engine ratings, plus block access to malicious websites. But, it checks a cloud-based reputation system, and the info is sent over http, not https. Not to mention that it will send full URLs... For instance, if you search for medicine in the search engine... it will send the full search query... even if the search engine itself isn't supported.

    If they don't address it soon enough, I'll reveal which extension is, so that they will see themselves forced to fix the issue.

    There's also another extension, which only works for Google Chrome, which does track users without their consent; there's no mention at the extension's Chrome Web Store page, official website, nor in the extensions Options. This one blocks ads...

    I can say that more than a week later, the extension's developer still refused to explain why he doesn't disclose that information; why he doesn't let his users know about it. I can say the extension is Adblock.

    This is part of the code the extension has, in one of its JavaScript files, named stats.js:

    // Allows interaction with the server to track install rate
    // and log messages.
    STATS = (function() {
      var stats_url = "";
      //Get some information about the version and os
      var version = (function() 
    There's a lot more there, but I don't understand most of the JavaScript language, to be honest.

    He did send me a reply to my first e-mail, due to some other suggestions I made, but he never answered about why he never made publicly known that such "functionality" is part of the extension.

    So... not only we can't trust the bad guys... we also cannot trust the so-called good guys. o_O o_O
  4. pandorax

    pandorax Registered Member

    @m00nbl00d, I didn't get it. Do you say adblock is tracking user's web history?
  5. m00nbl00d

    m00nbl00d Registered Member

    I don't know what it is tracking. You're going to have to ask the developer what information he has been getting. I asked him what is meant by and log messages, and he mentioned it's not used anymore...

    Still, the issue is not having this "functionality"; it's rather not letting the user know about it. It's about disclosure - there's none. I actually discovered this, because I do check each and every extension before trying it and/or using it.

    At this point, I got no bloody idea about what was/is being logged and sent by the extension to the developer. All I know is that, not disclosing such information to the public is a bit "awkward".

    I know that, as far as I'm concerned, I got no trust in this developer and his extension. There's some stats tracking... whatever it tracks..., but no disclosure.

    I hope this clarifies a bit what I tried to say about Adblock. :)
  6. dw426

    dw426 Registered Member

    I'm about as knowledgeable of Javascript as you are, but the part you show doesn't look very nefarious. It talks of OS version and the version of itself, plus install rates (which I'll assume is related to extension installs). I'm sure it has to track some web usage in order for the filters to work. How far that goes though, your guess is as good as mine.

    The big thing to take away from here is that extensions are yet another hole opened up on a system. Yes, they are fantastic additions to the browsing experience in many cases, and, many security extensions do work properly and do provide an extra layer of help (Noscript is a great example). However, unless you designed the extension yourself, it's often not very easy to determine what else these extensions may be doing, or how they're doing it.

    Blind trust is bad no matter who you're dealing with.

    Edit: I think before many jump on the "developer is evil" train, we need to understand what exactly is tracked, if anything. Non-disclosure always opens up a can of worms in the privacy/security world, so, unless the guy is getting paid for data collection (which, if he were, and disclosed it, it would probably kill the extension right then and there), he probably should "open up" a bit.
    Last edited: May 1, 2012
  7. pandorax

    pandorax Registered Member

    Thanks. Got it :thumb:
  8. Hungry Man

    Hungry Man Registered Member

    As with all software extensions can be exploited. Security is rarely the priority of a development cycle and it's usually compromised to get the product working/ out the door fast.

    The fewer extensions the better.
  9. siljaline

    siljaline Former Poster

    Originally reported by Sophos
  10. siljaline

    siljaline Former Poster

    As cited here, there are concerns of too many releases too quickly. Security is always a priority regardless of the development cycle.
    The sooner bugs are fixed, the faster it can be released to you.

  11. carat

    carat Guest

    Some people use 25 add-ons for more privacy and finally they lose their privacy due to these add-ons :D That's really funny ...

    +1 ;)
  12. dw426

    dw426 Registered Member

    I can't for the life of me figure out why anyone besides gullible people would think they need 25 add-ons to take care of privacy threats. There's not even that many privacy threats to need all that. They're not just over-lapping insanely, they're begging for something to break.
  13. Noob

    Noob Registered Member

    I've never been a fan of extensions. :D
    That's why i never understood the the "extensions" benefit of Firefox. :rolleyes:
  14. siljaline

    siljaline Former Poster

    A full list of ad-ons that are currently blocked. If this is of any help.

  15. Daveski17

    Daveski17 Registered Member

    Thanks, that's quite interesting. I love my extensions on Fx, after all, that's what Fx is all about in many ways & customisation is a huge 'selling' point. Due to Mozilla's deeply felt need to upgrade every five minutes however, many of these are breaking on SeaMonkey. One of the things I like about Maxthon is that it has virtually everything you need 'out of the box'. In fact, I only have three extensions: Maxthon Flag (like Flagfox) & two mail notifiers (Google/Yahoo!).
  16. siljaline

    siljaline Former Poster

    There have been numerous complaint threads on the Forum that Mozilla has been overzealous of late in disabling known add-ons and extensions.
    Best best would be to contest whatever add-on and or extensions that you are no longer able to use with the Mozilla Community.

    As for alternate Browsers to Mozilla, being an ex MS IE and Security MVP, I could only offer that you use IE 9.
  17. The Red Moon

    The Red Moon Registered Member

    Im a former firefox user myself and i now use comodo dragon.
    It has a neat incognito mode but the downside of this is that it disables my two extensions which are WOT and also incorparates a website scanner running in real time.Its a really good browser and it faster than firefox.
    Ive always found that it is the numerous extensions to firefox that ultimately slow it down.
  18. Chiron

    Chiron Registered Member

    You can select the option to run these in incognito if you wish.
Thread Status:
Not open for further replies.