Closed Bug 1600600 Opened 6 years ago Closed 6 years ago

Extension Block Request: Avast extensions

Categories

(Toolkit :: Blocklist Policy Requests, task)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jwkbugzilla, Unassigned)

Details
Extension name Avast extensions
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity soft

Reason

Various Avast extensions are essentially spyware, sending detailed browsing profiles to uib.ff.avast.com. The code in question is present in at least the following extensions:

Avast Online Security
Avast SafePrice
AVG Online Security
AVG SafePrice

Extension IDs

wrc@avast.com
sp@avast.com
aos@avg.com
{886a6486-37b3-4bcd-891b-fd0e325e7b1a}

Additional Information

Detailed analysis: hxxps://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/
User data being sold: hxxps://www.jumpshot.com/product/clickstream-data (platform is owned by Avast)

Extension pages:
https://addons.mozilla.org/en-US/firefox/addon/avast-online-security/
https://addons.mozilla.org/en-US/firefox/addon/avast-safeprice/
https://addons.mozilla.org/en-US/firefox/addon/avg-online-security/
https://addons.mozilla.org/en-US/firefox/addon/avg-safeprice/

Thank you for the report. We are working with the developer on this, so it might take a little loner than usual.

We are expecting the developer to submit a compliant version soon, so it was decided not to block this add-on at the moment. We will reopen this bug if the decision changes.

Group: blocklist-requests
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

Presumably, renaming the setting "Allow usage data to be shared with 3rd parties for analytics" into "Allow usage data to be shared with Jumpshot for analytics" was part of the compliance changes. Is it known/accepted that this renaming only happened in English? For all other languages the old name is being used. I don't assume a malicious intent, merely translations lagging behind - but somebody might want to check that the translations are updated eventually, these were already out of sync with English before the changes as well.

There is another issue with the Avast SafePrice extension: its consent screen cannot be declined. If you decline or close the consent screen, the extension merely stays disabled for the current session. After a browser restart it will simply assume consent and start up.

Thank you Wladimir, we are looking into it. You can also report such issues on amo-admins at mozilla dot com.

You need to log in before you can comment on or make changes to this bug.