Block add-ons associated with Web Security

RESOLVED FIXED

Status

()

RESOLVED FIXED
7 months ago
7 months ago

People

(Reporter: jorgev, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

7 months ago
A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited webpages for their security, other issues have been brought up:

1) The add-on sends more data than what seems necessary to operate.
2) Some of the data is sent unsafely.
3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy.
4) The code has the potential of executing remote code, which is partially obfuscated in its implementation. 
5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group.

For this, we're taking action on all of the following extensions:

+--------+-----------------------------------------------+
| id     | guid                                          |
+--------+-----------------------------------------------+
| 606008 | firefox@browser-security.de                   |
| 754752 | firefox@smarttube.io                          |
| 792317 | {0fde9597-0508-47ff-ad8a-793fa059c4e7}        |
| 803454 | info@browser-privacy.com                      |
| 838232 | {d3b98a68-fd64-4763-8b66-e15e47ef000a}        |
| 851519 | {36ea170d-2586-45fb-9f48-5f6b6fd59da7}        |
| 855429 | youtubemp3converter@yttools.io                |
| 857342 | simplysearch@dirtylittlehelpers.com           |
| 857365 | extreme@smarttube.io                          |
| 866911 | selfdestructingcookies@dirtylittlehelpers.com |
| 868657 | {27a1b6d8-c6c9-4ddd-bf20-3afa0ccf5040}        |
| 870028 | {2e9cae8b-ee3f-4762-a39e-b53d31dffd37}        |
| 875642 | adblock@smarttube.io                          |
| 893908 | {a659bdfa-dbbe-4e58-baf8-70a6975e47d0}        |
| 893912 | {f9455ec1-203a-4fe8-95b6-f6c54a9e56af}        |
| 903467 | {8c85526d-1be9-4b96-9462-aa48a811f4cf}        |
| 903479 | mail@quick-buttons.de                         |
| 915719 | youtubeadblocker@yttools.io                   |
| 915741 | extension@browser-safety.org                  |
| 928324 | contact@web-security.com                      |
| 938608 | videodownloader@dirtylittlehelpers.com        |
| 960114 | googlenotrack@dirtylittlehelpers.com          |
| 979089 | develop@quick-amz.com                         |
+--------+-----------------------------------------------+

Versions: *
Block type: hard.

Thanks to Rob Wu, Raymond Hill, rctgamer3, and others for conducting much of the investigation and keeping the ball rolling.
(Assignee)

Comment 1

7 months ago
The block has been staged. Andreas, please review and push.
Flags: needinfo?(philipp)
Flags: needinfo?(awagner)
Done.
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Flags: needinfo?(awagner)
Resolution: --- → FIXED
(Assignee)

Updated

7 months ago
Flags: needinfo?(philipp)
Comment hidden (off-topic)
Comment hidden (off-topic)
Comment hidden (off-topic)
Flags: needinfo?(awagner)
Comment hidden (abuse-reviewed, off-topic)
Comment hidden (abuse-reviewed, off-topic)
Comment hidden (admin-reviewed, off-topic)
(In reply to shellshock from comment #7)
> You can't trust Fabian Simon. The addon is no longer released by Mozilla.
> 
> In the end: Fabian Simon and his accomplices will either go to prison or
> face severe fines. Just wait some months... A big storm is coming.

Hi shellshock, this is a reminder that all comments here need to adhere to Bugzilla's etiquette guidelines (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html) and that person attacks are unwelcome. If this behavior continues, your Bugzilla account will be suspended.
Comment hidden (off-topic)
Comment hidden (off-topic)
Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken.

Therefore, I am restricting comments to this bug. If you have further questions, please post them to our discussion forums: https://discourse.mozilla.org/c/add-ons .

Thank you for your understanding.
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.