Block add-ons associated with Web Security

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
11 months ago
11 months ago

People

(Reporter: jorgev, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited webpages for their security, other issues have been brought up:

1) The add-on sends more data than what seems necessary to operate.
2) Some of the data is sent unsafely.
3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy.
4) The code has the potential of executing remote code, which is partially obfuscated in its implementation. 
5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group.

For this, we're taking action on all of the following extensions:

+--------+-----------------------------------------------+
| id     | guid                                          |
+--------+-----------------------------------------------+
| 606008 | firefox@browser-security.de                   |
| 754752 | firefox@smarttube.io                          |
| 792317 | {0fde9597-0508-47ff-ad8a-793fa059c4e7}        |
| 803454 | info@browser-privacy.com                      |
| 838232 | {d3b98a68-fd64-4763-8b66-e15e47ef000a}        |
| 851519 | {36ea170d-2586-45fb-9f48-5f6b6fd59da7}        |
| 855429 | youtubemp3converter@yttools.io                |
| 857342 | simplysearch@dirtylittlehelpers.com           |
| 857365 | extreme@smarttube.io                          |
| 866911 | selfdestructingcookies@dirtylittlehelpers.com |
| 868657 | {27a1b6d8-c6c9-4ddd-bf20-3afa0ccf5040}        |
| 870028 | {2e9cae8b-ee3f-4762-a39e-b53d31dffd37}        |
| 875642 | adblock@smarttube.io                          |
| 893908 | {a659bdfa-dbbe-4e58-baf8-70a6975e47d0}        |
| 893912 | {f9455ec1-203a-4fe8-95b6-f6c54a9e56af}        |
| 903467 | {8c85526d-1be9-4b96-9462-aa48a811f4cf}        |
| 903479 | mail@quick-buttons.de                         |
| 915719 | youtubeadblocker@yttools.io                   |
| 915741 | extension@browser-safety.org                  |
| 928324 | contact@web-security.com                      |
| 938608 | videodownloader@dirtylittlehelpers.com        |
| 960114 | googlenotrack@dirtylittlehelpers.com          |
| 979089 | develop@quick-amz.com                         |
+--------+-----------------------------------------------+

Versions: *
Block type: hard.

Thanks to Rob Wu, Raymond Hill, rctgamer3, and others for conducting much of the investigation and keeping the ball rolling.
The block has been staged. Andreas, please review and push.
Flags: needinfo?(philipp)
Flags: needinfo?(awagner)
Done.
Status: NEW → RESOLVED
Closed: 11 months ago
Flags: needinfo?(awagner)
Resolution: --- → FIXED
Flags: needinfo?(philipp)
Flags: needinfo?(awagner)
(In reply to shellshock from comment #7)
> You can't trust Fabian Simon. The addon is no longer released by Mozilla.
> 
> In the end: Fabian Simon and his accomplices will either go to prison or
> face severe fines. Just wait some months... A big storm is coming.

Hi shellshock, this is a reminder that all comments here need to adhere to Bugzilla's etiquette guidelines (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html) and that person attacks are unwelcome. If this behavior continues, your Bugzilla account will be suspended.
Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken.

Therefore, I am restricting comments to this bug. If you have further questions, please post them to our discussion forums: https://discourse.mozilla.org/c/add-ons .

Thank you for your understanding.
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.