1483995 - Block add-ons associated with Web Security

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, enhancement)

Description

[Jorge Villalobos [:jorgev] (he/him)]

A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited webpages for their security, other issues have been brought up:

1) The add-on sends more data than what seems necessary to operate.
2) Some of the data is sent unsafely.
3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy.
4) The code has the potential of executing remote code, which is partially obfuscated in its implementation. 
5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group.

For this, we're taking action on all of the following extensions:

+--------+-----------------------------------------------+
| id     | guid                                          |
+--------+-----------------------------------------------+
| 606008 | firefox@browser-security.de                   |
| 754752 | firefox@smarttube.io                          |
| 792317 | {0fde9597-0508-47ff-ad8a-793fa059c4e7}        |
| 803454 | info@browser-privacy.com                      |
| 838232 | {d3b98a68-fd64-4763-8b66-e15e47ef000a}        |
| 851519 | {36ea170d-2586-45fb-9f48-5f6b6fd59da7}        |
| 855429 | youtubemp3converter@yttools.io                |
| 857342 | simplysearch@dirtylittlehelpers.com           |
| 857365 | extreme@smarttube.io                          |
| 866911 | selfdestructingcookies@dirtylittlehelpers.com |
| 868657 | {27a1b6d8-c6c9-4ddd-bf20-3afa0ccf5040}        |
| 870028 | {2e9cae8b-ee3f-4762-a39e-b53d31dffd37}        |
| 875642 | adblock@smarttube.io                          |
| 893908 | {a659bdfa-dbbe-4e58-baf8-70a6975e47d0}        |
| 893912 | {f9455ec1-203a-4fe8-95b6-f6c54a9e56af}        |
| 903467 | {8c85526d-1be9-4b96-9462-aa48a811f4cf}        |
| 903479 | mail@quick-buttons.de                         |
| 915719 | youtubeadblocker@yttools.io                   |
| 915741 | extension@browser-safety.org                  |
| 928324 | contact@web-security.com                      |
| 938608 | videodownloader@dirtylittlehelpers.com        |
| 960114 | googlenotrack@dirtylittlehelpers.com          |
| 979089 | develop@quick-amz.com                         |
+--------+-----------------------------------------------+

Versions: *
Block type: hard.

Thanks to Rob Wu, Raymond Hill, rctgamer3, and others for conducting much of the investigation and keeping the ball rolling.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

The block has been staged. Andreas, please review and push.

Comment 2

[Andreas Wagner [:TheOne] [use NI]]

Done.

Comment 3

[Lutz Falkenburg]

As already told you in IRC and as my customer sent you via mail, here once more so that we have all informations where they belong:

We would clearly like to address each of the mentioned points to clarify them with you.

"1) The add-on sends more data than what seems necessary to operate."

To the first point please point out what information this is referring to. We only collect information that is necessary for the processing and don’t save any of the data. To exemplify in our security add-ons, we communicate with the client to check the URL’s against a global blacklist, to provide more insight, this for example includes the one hosted by spam house. Receiving this data also helps mapping how a user came to the malicious site, to protect users before they reach the malicious sites. Hereby it is not the user’s data that is interesting, but only the consequential URL visits. Thus after receiving the IP-address (obviously necessary for the communication) we immediately anonymise it or even delete it completely. We have no stake tracking the user only the malicious sites that are visited. In another example Quick AMZ we need to check the site that the user requests whether it contains a product that amazon offers. This is the sole reason why users download and love our extensions.

"2) Some of the data is sent unsafely."

Secondly, yes a bug has apparently occurred in some of the addons, such as web security, where data is not being fully encrypted in the communication. This is an issue that we have identified due to the media reports and are already fixing. As we announced this update will be rolled out very shortly. However this issue has not affected all the addons, thus I do not understand why the other addon were affected by this ban.

"3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy."

The formulation of the comment seams as though there is an issue that we only declare the use of data in the privacy policy. Sorry to ask, but isn’t that where it is supposed to go? We try and keep our privacy policy as precise as possible with the correct legal framework and grounding. If you feel that this legal framework is not adequate enough or we should work on the formulation or where we declare this information, we are more than happy to work on it. If you wish you can provide us with pointers on how we can be more transparent with the data processing so that we find phrasing that suites all parties you, the law, us and most importantly the users.

"4) The code has the potential of executing remote code, which is partially obfuscated in its implementation."

There was never the intention to execute malicious code or even obfuscate it, thus it would be greatly appreciated if you could show us what code sections you are referring to, where you have identified this. I assure you that we will do everything possible to fix that asap.

"5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group."

Yes, some of these add-ons: Browser Privacy, Browser Security, Web Security, SmartTube, Amazon Quick Button and Quick AMZ are our add-ons, developed by us. It is not unusual that developers create different extensions for different purposes, thus I don’t quite see how that is an issue. We are an IT company that has over time developed quite a few outstanding products especially for Firefox, as especially our developers love the community. We put a lot of love and care into the products and really try and create value for the users, by providing cool and useful functionality to the users in a variety of facets. Privacy is a core priority for us, thus the security enhancing add-ons. The bug that has been uncovered with the missing encryption already made us look into how such a bug could make it unnoticed and as mentioned it will be fixed as soon as possible, but with care. We of course use existing code to build upon, which may explain similar code, however I don’t see that as a major issue, or do you?

We clearly beg you to overthink your decisions with this further information in mind and we are definatly for opening up lines of communication so that we can discuss any concerns that you have and that we can grow the Mozilla community jointly.

Best Regards

Comment 4

[Lutz Falkenburg]

Oh, I have overseen an update. Here it is:

We have been hard at work on our mistakes and would like to report on the developments from our side.

All our add-ons now use SSL for the communication, this has been implemented server side. If you need to know further information about why this communication is necessary and how the data is anonymised and processed to enable the services, we are more than happy to explain and discuss this with you. Concerning the following point of the disclosure, we are already working on more detailed descriptions that explain all features in more detail and with greater transparency of how we securely process the data. Concerning the remote code execution and code obscuring that you mentioned, we looked into it and found what you probably mean, this was a functionality that we implemented a long time ago, when the waiting lines for reviews were so long that it made it hard to push critical bug fixes, therefore we used this to be flexible with releases. However it hasn’t been used at all lately and we’d be more than happy to remove this from the add-ons with an update.

As we have yet to receive an answer to our first mail, we wanted to use this opportunity to show our initiative to cooperate on all levels. We would also greatly appreciate if you could let us in on the communication, to avoid any misunderstandings and so that we know what else to fix. Please drop us a message or reach out to us by phone.

Best Regards

Comment 5

[Lutz Falkenburg]

Dear community, 

we would like to take a stand on the events of the last days.

Without question we made mistakes in our free addons for which we would like to sincerely apologize. Further it is our mission to in any form about the issues and the future improvements.

Encryption (SSL): The communication of our addons with the servers was not completely encrypted. This has been fixed on the server side and an update for the addons is ready and can be rolled out as soon as Mozilla unlocks the addons.

For improved transparency, we would like to explain what data has been transmitted and the purpose of this transfer.

We transfer the following data:
- ID
- Old URL / old host
- New URL / new host
- hash
- App
- Agent
- Language

We use the ID to build a security chain that can consist of up to 5 consecutive requests. Should the user enter a malicious website, then the transferred "old URL" and the "new URL" can be used to track from which website the user came to this malicious website.

With this system, malicious pages get a "red" rating. Pages that link to "red" pages receive a "yellow" rating.

All this data is used to improve our heuristics and threat analysis. The transmitted data is stored for a maximum of 15 minutes on our German servers and cannot be used to identify a natural person.

We use to transfer "App", "Agent", "Language" and "Hash" for statistical reasons. As part of the updates, however, this data will be removed in the next update.

In order to avoid ambiguity, we will further clarify the explanations of what data is transferred and what it is used for in more detail.

Remote Code Execution: Unfortunately, in the course of any continuous software development project remnants of old program code are always left behind. Such was the case for us, however as reported in 7 out of 10 addons this program code was no longer functional.

In the past, this feature was used to quickly alert the user of critical threats without having to undergo the time-consuming update procedure. Mozilla's new update policy makes this feature obsolete and this the functionality is no longer in use. With the future update, the remaining fragments will be permanently removed. In addition, we will improve our quality assurance management to avoid such code snippets or errors in the.

We regret the incident and would like to have the opportunity to regain the confidence placed in us by the users.

Best Regards,
Fabian Simon

Comment 6

[Geoff Kuenning]

Seriously?  You unilaterally decide that an extension is "scary" and unilaterally disable it, without providing knowledgeable users any way to override your decision.

Did it never occur to you that I--and many other users--would prefer to risk trusting Lutz Falkenburg, who is only trying to help me protect my privacy, rather than trust EVERY WEB SITE IN THE WORLD to behave well?

This nanny-ism is absurd.  I'd be fine with receiving a warning, even a scary one, to let me know that a problem has been noted (and directing me to this bug report so I could evaluate for myself whether I trust Lutz more than the overweening people at Mozilla, who don't exactly have a great track record of protecting privacy).

But unilaterally disabling one of the most useful extensions available in Firefox is just...disgusting.  Grow up and stop being so arrogant and self-righteous.

Sheesh.

Comment 7

[shellshock]

You can't trust Fabian Simon. The addon is no longer released by Mozilla.

In the end: Fabian Simon and his accomplices will either go to prison or face severe fines. Just wait some months... A big storm is coming.

Comment 8

[shellshock]

(In reply to shellshock from comment #7)
> You can't trust Fabian Simon. The addon is no longer released by Mozilla.
> 
> In the end: Fabian Simon and his accomplices will either go to prison or
> face severe fines. Just wait some months... A big storm is coming.

Comment 9

[Caitlin Neiman [:caitmuenster]]

(In reply to shellshock from comment #7)
> You can't trust Fabian Simon. The addon is no longer released by Mozilla.
> 
> In the end: Fabian Simon and his accomplices will either go to prison or
> face severe fines. Just wait some months... A big storm is coming.

Hi shellshock, this is a reminder that all comments here need to adhere to Bugzilla's etiquette guidelines (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html) and that person attacks are unwelcome. If this behavior continues, your Bugzilla account will be suspended.

Comment 10

[aandr075]

So, what is the status of this? This was a fantastic add-on, helped me disable a ton of annoying phishing adds

Comment 11

[Darkspirit]

(In reply to aandr075 from comment #10)
> So, what is the status of this? This was a fantastic add-on, helped me disable a ton of annoying phishing adds

General recommendations:
1. Make sure Safe Browsing is still enabled: https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
   If you find a phishing website you can report it via Menu Button > Help > Report Deceptive Site.
2. Open about:config and set privacy.trackingprotection.enabled to true. Or follow this tutorial and select "Always":
   https://support.mozilla.org/en-US/kb/tracking-protection#w_turn-tracking-protection-on-or-off-automatically-for-certain-sessions
3. Install https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
4. Optional: https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
   (Or just flip privacy.firstparty.isolate to true. That's what the addon does.)
   https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/

Comment 12

[Andreas Wagner [:TheOne] [use NI]]

Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken.

Therefore, I am restricting comments to this bug. If you have further questions, please post them to our discussion forums: https://discourse.mozilla.org/c/add-ons .

Thank you for your understanding.