Closed Bug 502479 Opened 16 years ago Closed 16 years ago

Bodizzle/Virtus Designs' themes adware (adds Ask.com search switcher on update, even if theme is disabled)

Categories

(addons.mozilla.org Graveyard :: Policy, defect, P3)

Product:
addons.mozilla.org Graveyard
Component:
Policy
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: Engamer01, Assigned: jorgev)

References

(
URL
)

Details

Attachments

(1 file)

About:config is accessible with the Aero Fox theme installed
30.59 KB, image/png
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Brett Bodine, aka Bodizzle/Virtus Designs, recently uploaded Fx 3.5 theme updates to some of his themes in the Sandbox. However these themes add two bookmarks to Places (one bookmark is to Brett's site and the other is an advertisement) and changes the search engine the Search Bar is set from whatever you use to Ask.com. Brett did update the themes' pages to say that installing the new Fx 3.5 themes/updates will do this and even stated this in the EULA of the themes. However he fails to realize if the themes go public, many users will be served updates without warning (regardless of the option in the Add-ons Manager that lets you check what new updates of add-ons contain). I've filed this bug in order to determine if Brett's approach to offering his themes is ok instead of the past updates that had split the themes into two versions, a basic version and a fully-skinned pay version. I'll CC Brett so that he can have his say. Some users of the theme that found out about the Fx 3.5 versions of the theme are already starting to flood his reviews claiming his themes are adware/malware. A new bug may need filing to get that mess cleared up. Reproducible: Always
Assignee: nobody → rbango
Status: UNCONFIRMED → NEW
Component: Public Pages → Policy
Ever confirmed: true
QA Contact: web-ui → policy
Can you provide links to his theme?
Also I couldn't CC Brett from here, so I had to email him directly and notify him of this bug's filing.
Brett responded to my email. He will be removing the extension that added two bookmarks to Places (because of a bug in that extension) from his themes, but will be keeping the extension that resets your Search Bar's engine to Ask.com in his themes. Brett says AMO has cleared this move on the basis that his themes would have to be recategorized as extensions instead of themes. Is that right?
(In reply to comment #4) > Brett says AMO has cleared this move on the basis that his themes would have to > be recategorized as extensions instead of themes. Is that right? Wait... he's making a theme in the form of an extension? I don't think that sounds like a good idea. Themes should not be able to do anything but theme something. Allowing anything more than that feels like a security hole to me. Taking a quick look at the install.rdf it's not even an extension. This is actually a multiple install package with the JAR for the theme and the XPI for the adware in it. (https://developer.mozilla.org/en/Multiple_Item_Packaging) How well does AMO handle multi-XPIs anyway?
By the way, the title as filed was "Is Virtus Designs' themes adware or ok?". This is clearly (light) adware as it's "ware" that has an unrequested "ad" for Ask.com, but it may or may not be ok. There are other add-ons on AMO with ads in some form so it's just a matter of where the line is drawn. If it asked if the user wished to switch, I'd personally say that'd be fine. Automatically switching without any user confirmation which it does on theme upgrade to a theme+extension package is another story entirely. I actually see two separate problems here: 1) Forced search engine switch. (don't care if it says so in the EULA) 2) Conversion on upgrade from theme to not just a theme. AMO shouldn't be accepting uploads of new add-on versions that change the XPI type.
Summary: Is Virtus Designs' themes adware or ok? → Is Bodizzle/Virtus Designs' themes adware ok?
(In reply to comment #6) > AMO shouldn't be accepting uploads of new add-on versions that change the XPI > type. Meant add-on type; it was a JAR now it's an XPI with a JAR and an XPI in it.
Dave, two things: 1) If he lists his theme as an extension and not a theme, then it's fine to have the extra functionality. Brand Thunder does this and is acceptable. 2) If his EULA and/or add-on description clearly state that the add-on switches the search engine (which it does), it's acceptable. We've gone over this internally and have decided it's fine as long as it's clearly outlined.
Justin reminded me of one thing in our policy revision that needs to be included. All changes should be opt-in. http://blog.mozilla.com/addons/2009/05/01/no-surprises/ "All changes must be ‘opt-in’, meaning the user must take non-default action to enact the change." I'll chat with Brett about this.
Fair enough. I agree that he's not doing anything horribly evil here with regard to the search engine. (though, I would prefer a prompt for change) My biggest concern is the purely technical issue that AMO allows transition from one add-on type to another without having to change the ID. In my opinion, allowing this sort of transition through an auto-update is dubious. People who download the version from the site will probably not have too much of an issue with it. It's the fact that he'll be pushing an update from one thing to another. Previous users did not agree to this in the EULA. There will be quite a few mad people when this version gets pushed as an auto-update. I guarantee there will be another deluge of rants in the reviews followed by an exodus of some large percentage of his remaining user base, again. If he's fine with that and AMO policy is fine with it then so be it. Still a crappy idea, in my opinion. ;)
Well, that's why we love your feedback Dave. You make us think outside of the box and we appreciate that. I am going to chat internally about the auto-update thing as that's a very good point. Also, I've contacted Brett about ensuring that the user must "opt-in" to make the change to a search engine.
(In reply to comment #11) > Well, that's why we love your feedback Dave. You make us think outside of the > box and we appreciate that. I am going to chat internally about the auto-update > thing as that's a very good point. Thanks. Honestly, I even expect this sort of thing to trigger all sorts of unknown bugs. Has AMO ever actually done this sort of JAR->Multi-XPI update before? Brand Thunder's add-ons look like they started out as XPIs. (though I didn't check them all) > Also, I've contacted Brett about ensuring that the user must "opt-in" to make > the change to a search engine. Yes, I agree on this point. Requiring a prompt here would make things much better. He'll probably still tick off a large number of people on principle alone, but that's his choice.
These files are still listed as experimental, however for most of them he's now trying to point users directly to the experimental version (specifically the EULA page) from his short description. Example: "Aero Fox 3.5 is pending review. You can install the "experimental" version by going to: https://addons.mozilla.org/en-US/firefox/addons/policy/0/6070/57961 It has been extensively tested but it is still awaiting approval." This is a sort of run-around to the system. Maybe in the long desc or dev comments, but this at far least doesn't belong in the short desc. Generally the description should be a description. Also, there are now some new negative reviews coming in, especially for Aero Fox. Though, it's mainly users complaining about a perceived drop in quality and some reported bugs for the new version and not just the search engine switch. Has there been any progress with the developer here?
Unfortunately no. We've made numerous suggestions to the developer on how to better the experience for users but he's weighing his options. We want the user to have complete control of how things get installed and how the uninstall process cleans itself up. The author is requesting that the user have less control. We're not okay with that. All future updates to his existing add-ons or newly submitted add-ons will continue to be kept experimental until we can come to a conclusion that makes Mozilla's users the priority.
Did you find out if it was still the same developer or if it was sold? (though, I guess that doesn't matter that much to us)
(In reply to comment #15) > Did you find out if it was still the same developer or if it was sold? > (though, I guess that doesn't matter that much to us) Er... scratch that. Wrong bug. Sorry :/
I'm afraid these two have had their Fx 3.5 updates pushed public: Aero Fox - https://addons.mozilla.org/en-US/firefox/addon/6070 Aero Silver Fox - https://addons.mozilla.org/en-US/firefox/addon/7089 And people are flooding the reviews with graphical complaints and/or malware postings. And as far as I know, Virtus Designs hasn't sold or gave up rights to his themes. Also I hope editing this bug's title is ok. I really should have proofread that title before submitting this bug.
Summary: Is Bodizzle/Virtus Designs' themes adware ok? → Are Virtus Designs' themes adware?
(In reply to comment #17) > Also I hope editing this bug's title is ok. I do not think so. Read comment #6 by Dave. His point is that the add-ons by Virtus Designs are clearly (light) adware, and there is no question in that. The question is whether these adware add-ons by Virtus Designs are acceptable or not. @Ngamer01: If you agree with him, please edit the summary accordingly.
My apologies for the confusion and bugspam. The summary has been reverted.
Summary: Are Virtus Designs' themes adware? → Is Bodizzle/Virtus Designs' themes adware ok?
(In reply to comment #19) > My apologies for the confusion and bugspam. The summary has been reverted. Thanks!
(In reply to comment #17) > I'm afraid these two have had their Fx 3.5 updates pushed public Why did an editor approve them? I thought things were on hold. Rey? > And as far as I know, Virtus Designs hasn't sold or gave up rights > to his themes. Yes, I know. Sorry for that bit of confusion from me. Comment 15 was intended for another adware bug report I had open at the same time. ;)
(From bug 506505 comment #0) > There have been several reports of Virtus Design's themes setting ask.com as > the default search engine in firefox. It does say that the will do that in > their privacy policy, but, see > https://support.mozilla.com/tiki-view_forum_thread.php?locale=en-US&comments_parentId=401424&forumId=1 > for info about it.
Severity: normal → major
Summary: Is Bodizzle/Virtus Designs' themes adware ok? → Bodizzle/Virtus Designs' themes adware (adds Ask.com search switcher on update)
(In reply to comment #14) > All future updates to his existing add-ons or newly submitted add-ons will > continue to be kept experimental until we can come to a conclusion that makes > Mozilla's users the priority. Did some editor just approve the versions without knowing about this? What happened? Should these versions be re-sandboxed now? (though, the damage is done) If it is the case that an editor just went ahead and did it on their own, then I guess there needs to be some sort of a system to put an admin hold on editor reviews for an add-on.
Doesn't an add-on installing Ask.com's search engine violate Mozilla's deal with Google? After all AMO's the official Mozilla Firefox site.
(In reply to comment #26) > Doesn't an add-on installing Ask.com's search engine violate Mozilla's deal > with Google? > After all AMO's the official Mozilla Firefox site. I wouldn't think so. It's not Mozilla doing this, it's a 3rd party add-on that happens to be hosted here. Nonetheless, someone from Legal should probably be asked as you do have an interesting point there. (I have no idea who to CC)
"It's not Mozilla doing this" You and I may know that but the average user certainly doesn't. If they already had this theme installed and updated to the latest version they wouldn't have a clue why Google was no longer their default search engine, during the update process there's no warning that Ask will replace it. Call a lawyer Dave.
A little more information on this. I was presented with this update today on both my machines. On one I was using Aero Fox, but on the other it was installed but not being used. The update added the Ask.com extension to both, switching the default search. To further the insult, Ask also hijacked the Awesome Bar making it impossible to get into about:config to try to reset the Ask.com entries. At Mozillazine, we have had a number of topics about the Ask toolbar leaving behind those entries when uninstalled, so this was the first place I tried to look after I noticed the change. Very bad behavior. Fortunately, uninstalling the Ask.com chrome search extension reverted the settings in this case.
> Ask also hijacked the > Awesome Bar making it impossible to get into about:config to try to reset the > Ask.com entries. Well now that's bad. Probably against the AMO ToS as well.
Update: An editor inadvertently approved these two themes. All editors were advised not to but this seems to be a case of human error. I've sandboxed the problem versions and have already emailed the author this morning. The functionality that's currently in these two add-ons do violate our policies and the author is aware of this. It was the reason that these versions had not been approved for public to-date. We've been working with the developer to change the way he handles his monetization strategy.
Hi Rey, Thanks for writing back to me and for directing me to this bug report. I honestly feel that if this developer will not remove the bundled, silent search engine add-on from his themes, that he should be banned from AMO. I, like many others, did not even have Aero Fox in use as my theme (I was using another of Bodizzle's themes--Abstract Classic, which, as far as I can tell, has not yet been bundled with the Ask search engine), and yet via my "Update Notifier" extension, I found out that the "Ask Chrome Search Engine" was to be installed the next time I restarted Firefox (without my consent or advance knowledge). It was only by chance that I didn't restart to find that the Ask search engine had taken over my browser like many others had happen to them. I, fortunately, had a chance to research what it was and delete it from my add-ons (as well as the two themes of his that I had installed). However, it should NEVER have come to that (editor approval mistake or not). What this developer is doing is heinous and, again, I think he should be banned. And reading through the recent reviews of his MANY themes that hijack your browser, I'm not alone in that opinion. Thanks for considering.
Bodizzle has issued an official statement about the mess: http://www.virtusdesigns.net/?p=659
(In reply to comment #32) > I, like many others, did not even have Aero Fox in use as my theme New level to this mess. :/ This is the general sort of thing I meant by possible "unknown bugs" in previous comments. Updating from a JAR to a multi-XPI with a JAR and an XPI is bound to cause all sorts of weird problems like this because it was never designed to do this. (In reply to comment #32) > What this developer is doing is heinous and, again, I think he should be > banned. And reading through the recent reviews of his MANY themes that hijack > your browser, I'm not alone in that opinion. I'm no fan of this guy or his tactics, but so long as he corrects this I think banning is overkill at this time.
Summary: Bodizzle/Virtus Designs' themes adware (adds Ask.com search switcher on update) → Bodizzle/Virtus Designs' themes adware (adds Ask.com search switcher on update, even if theme is disabled)
(In reply to comment #31) > Update: An editor inadvertently approved these two themes. All editors were > advised not to but this seems to be a case of human error. I've sandboxed the > problem versions and have already emailed the author this morning. Missed one, there was a third pushed public: Aquatint Black (recommended) https://addons.mozilla.org/en-US/firefox/addon/6111 Also just filed bug 506833 for a problem on that page.
With the mess ongoing leading people to spam 1 star malware reviews (with some containing very offensive language), people are now spamming up the tags (with some tags containing very offensive language). Might be good to file a new bug for cleaning up the reviews and tags of Bodizzle's themes. Though it would also be good to lock down the ability to review and tag on those themes until those whole mess is resolved.
(In reply to comment #36) > With the mess ongoing leading people to spam 1 star malware reviews (with some > containing very offensive language), people are now spamming up the tags (with > some tags containing very offensive language). > > Might be good to file a new bug for cleaning up the reviews and tags of > Bodizzle's themes. Though it would also be good to lock down the ability to > review and tag on those themes until those whole mess is resolved. I brought that up in #addons last night, but no one responded. I agree with you.
> To further the insult, Ask also hijacked the Awesome Bar making it impossible > to get into about:config to try to reset the Ask.com entries. I installed the Aero Fox 3.5 theme and had no problem accessing about:config.
Please excuse the double-post. I also wanted to add the following: - With the Aero Fox theme installed, the value of keyword.URL remained unchanged. - After uninstalling the Ask Chrome Search Engine extension, the Ask.com search engine was removed and the selected search engine was reset to Google.
In reply to comments <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=502479#c38">#38</a> and <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=502479#c39">#39</a> It caused problems with the Awesome Bar on both of my systems that had his themes. Both systems are Vista. It kept trying to add http://www. to the about:config entry. After removing the Ask Chrome Search extension, it reverted back, which is unusual for the Ask.com stuff. From previous experience on customers' machines, I had thought that I would need to get into about:config to repair this which is why I tried it. After I saw the problem with the Awesome Bar on the one machine, I checked it on the other. Same result.
(In reply to comment #36) > Might be good to file a new bug for cleaning up the reviews and tags of > Bodizzle's themes. Filed a bug for the tag spam -> bug 506972 For the review spam, we've not cleaned up reviews en-mass for previous one-star deluges so I don't think we'll start now. If any get particularly offensive then use the normal reporting system for them.
Blocks: 506972
Ray, any new info on this?
Thanks for checking in. We're working with the developer and Ask.com on revamping the experience. Once we feel that they've provided a much more transparent UX, we'll move forward.
Bodizzle has uploaded a new Aero Fox version to the Sandbox. Aero Fox III -> https://addons.mozilla.org/en-US/firefox/addon/45732 Just notifying you all of this update.
Assignee: rbango → jorge
Priority: -- → P3
Target Milestone: --- → 5.5
And lets hope it stays there, enough users browsers are getting hijacked by this infernal thing, why associate AMO with such behavior. Do a search at Mozillazine and SUMO if you want to see the grief it's produced.
Marking this fixed. As far as I can tell, all of the offending themes have been switched to self-hosted add-ons, which means the existing users won't get moved over to the new update channel.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
This theme has been updated and approved again, Now with bing toolbar, it now pops up a window asking to install Bing toolbar on first run. Do we want the behavior from extensions on addons.mozilla.org?
It's acceptable behavior. The add-on offers the option to add the bing options, defaulting to off, which falls in line with our No Surprises policy: https://addons.mozilla.org/en-US/developers/docs/policies/reviews#section-defaults
It may be acceptable behaviour to you but not to may long time users that despair at the depths AMO has sunk to. This Bodizzle chap is a cheap huckster that's playing you guys like a fiddle. No wonder some of the better themers are leaving and hosting their own themes. Kind of ironic that one can download Google Chrome themes without this kind of garbage screwing up their browser. I'll bet many new Firefox users showing up with complaints at help forums have no idea where those that infernal Ask/Bing **** came from. "No Surprises Policy", I don't know whether to laugh or cry.
While many users were affected by the Ask.com engine that was added without their consent, that was something that was corrected with the developer, and it was decided that he could submit new add-ons as long as it followed our policies to the letter. If you have tested any of his add-ons on AMO, you should realize that the bing feature is only installed through explicit user action. I don't see how a user can end up with an unwanted feature that way.
(In reply to comment #49) > Kind of ironic that one can download Google Chrome themes without this kind of > garbage screwing up their browser. I don't understand why that's ironic, but regardless, if you're looking for lightweight themes similar to Google Chrome's instead of the full experience of Firefox themes, you might be interested in Personas: http://getpersonas.com
I will no longer touch his themes so will not be testing this myself. To me, as a repair technician dealing with home users daily, if he is requiring opt out instead of opt in, it is still a problem. As an aside, I don't care for the opt out when any program does this. Think Adobe. Regular home users are not computer educated enough to understand the implications of the opt out/opt in. They wonder where all this extra garbage came from and come to me to clean it up. I know you developers don't have to deal with this and are educated enough to know to watch for the opt out, but most of the "real world" do not. Again, if it's offered as an opt in, where doing nothing would NOT install the toolbar, would be fine. Opt out is not acceptable ever.
If there's a new incident with one of this guy's themes, please file a new bug and discuss it there. This particular specific issue was resolved.
Please don't insult my intelligence fligtar you know damn well the point I'm making. I'm not the slightest bit interested in Personas and am saddened when 'get themes' directs me to cheap looking cheesy skins that don't even fit a navbar only set up of FF. At least when Holiday Inn used the No Suprises line it was true. (In reply to comment #51) > (In reply to comment #49) > > Kind of ironic that one can download Google Chrome themes without this kind of > > garbage screwing up their browser. > I don't understand why that's ironic, but regardless, if you're looking for > lightweight themes similar to Google Chrome's instead of the full experience of > Firefox themes, you might be interested in Personas: http://getpersonas.com
(In reply to comment #54) > Please don't insult my intelligence fligtar you know damn well the point I'm > making. > I'm not the slightest bit interested in Personas and am saddened when 'get > themes' directs me to cheap looking cheesy skins that don't even fit a navbar > only set up of FF. > At least when Holiday Inn used the No Surprises line it was true. (In reply to > comment #51) > > (In reply to comment #49) > > > Kind of ironic that one can download Google Chrome themes without this kind of > > > garbage screwing up their browser. > > I don't understand why that's ironic, but regardless, if you're looking for > > lightweight themes similar to Google Chrome's instead of the full experience of > > Firefox themes, you might be interested in Personas: http://getpersonas.com
(In reply to comment #52) > Again, if it's offered as an opt in, where doing nothing would NOT install the > toolbar, would be fine. Opt out is not acceptable ever. It's opt-in, we require it to be that way. (In reply to comment #53) > If there's a new incident with one of this guy's themes, please file a new bug > and discuss it there. This particular specific issue was resolved. robin, please file a new bug with your concerns.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: