Closed Bug 533419 Opened 10 years ago Closed 10 years ago

Ecosia search add-on deletes AdBlock Plus filter subscriptions without warning

Categories

(addons.mozilla.org :: Security, defect, P3)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: carlos_alen, Assigned: fligtar)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Build Identifier: 

The new eco-friendly search engine Ecosia (http://ecosia.org/) has a search add-on available at http://ecosia.org/install.php . This add-on deletes AdBlock Plus filter subscriptions when installed. This is probably due to Ecosia earning revenue from adverts, but they should ask for permission to delete the subscription first, or clearly state what the add-on does.

Reproducible: Always

Steps to Reproduce:
1. Make sure you have AdBlock Plus installed with some subscription list.
2. Go to http://ecosia.org/install.php and install the search add-on.
3. Go to Tools > Add-ons > AdBlock Plus > Preferences
4. Notice that the filter subscriptions are gone. Only "My Adblocking rules" and "My element hiding rules" are left.
Actual Results:  
Ecosia search add-on deletes AdBlock Plus filter subscriptions without warning

Expected Results:  
Ecosia search add-on should not delete AdBlock Plus filter subscriptions without warning
Version: unspecified → Trunk
Mozilla.org have no control over addons that are not hosted on addons.mozilla.org.
Addons can do what they want (deleting your hdd, sending private files to a server in the internet or modify other addons). Do not install Addons from sources you don't thrust !
The same issue was reported in my forum. I contacted Ecosia a few hours ago, their CEO promised to fix that problem ASAP. Supposedly, the add-on developer they hired misimplemented this.
I was told that the add-on has been fixed, the update should go out in a day or two.
The website now offers version 1.0.3 for download. That one adds an exception for ecosia.org but continues to remove all filter subscriptions. WTF...
This is malware !
The addon should never modify other addon settings without asking I mean with asking only the exception for forecosia.org.
The removed filterlist which is a no go.
I mentioned that in the email communication. They think that the user gives permission to add this exception implicitly when installing their extension. But they agreed to mention that fact explicitly (not ask for permission however). As to removing subscriptions - supposedly this is still a bug...
(I know this isn't technically an AMO bug, but if we decide we want to do anything about the add-on, it'll happen in the addons.mozilla.org product.)
Component: General → Add-on Security
Product: Core → addons.mozilla.org
QA Contact: general → security
Version: Trunk → unspecified
Assignee: nobody → fligtar
Priority: -- → P3
Target Milestone: --- → 5.5
The only thing we can do about an add-on that is not hosted on AMO is to blocklist it. I don't think this behavior warrants such an extreme measure.

I'd recommend WONTFIX. Perhaps making this more public will put some pressure on the developer to follow common sense and respect their users.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I'm still communicating with Ecosia (now talking directly to the developer)...
Version 1.0.4 is out. The code removing Adblock Plus subscriptions is commented out. It will add an exception rule for ecosia.org that is removed on uninstallation. The user is still not notified about that in any way but at least it is more or less obvious what is going on. I guess this can be considered fixed...
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified per Wlad's comment in comment 10.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.