1227272 - Webvisum addon sends the complete URL for every page visited to their server in plane text.

Status: RESOLVED FIXED

(addons.mozilla.org :: Security, defect)

Description

[Robert Murray]

The webvisum addon, https://addons.mozilla.org/en-GB/firefox/addon/webvisum/
has a big privacy bug.  In order to check for page enhancements, the addon makes an http request to api.webvisum.com for every page load, that contains the complete URL in plane text.  It does the same with https pages, and in private browsing mode.  The addon requires a user account on webvisum.com, so if intercepted, the URLs could be linked to a user on that site.  

I find it quite disconcerting that there is possibly more information about my web history contained in the server logs of webvisum.com than there is on my own computer.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

I disabled all current versions and notified the developers. I asked them to upload a corrected update as soon as possible.

Comment 2

[Karl]

Hi All,

It's been a very long time since I looked into the Webvisum code but I'm pretty sure we should be able to move all communication with the server to https. That'll prevent anything being easily intercepted, and should hopefully help out with the privacy issues.

Comment 3

[Andreas Wagner [:TheOne] [use NI]]

Closing this as there is nothing left to do here.

Karl, if you are the developer of that add-on and want to upload a new version, you can do so in your developer hub on AMO.

Comment 4

[Karl]

Hi Guys, sorry I obviously wasn't clear enough.

If we update the code to communicate via https is that enough for you to re-enable the addon?
Or do we need to do other things to prevent the addon being disabled?

Cheers,
Karl

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

You also need to notify users about what's going on before the reporting feature is activated.

Comment 6

[Karl]

Ok, I'll make sure something is added in the next release.
Thanks for your input