Closed Bug 581040 Opened 14 years ago Closed 14 years ago

Screenshot Pimp extension tricks users into changing their homepage and search engine

Categories

(addons.mozilla.org Graveyard :: Policy, defect, P3)

Product:
addons.mozilla.org Graveyard
Component:
Policy
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
5.12.1

People

(Reporter: jwkbugzilla, Assigned: jorgev)

References

(
URL
)

Details

It seems that Screenshot Pimp extension is essentially a repackaged version of Zugo Toolbar - which is very unexpected as you can see from http://support.mozilla.com/en-US/forum/1/615209 for example, users have a very hard time figuring out where this toolbar came from. Some of the reviews also claim that this extension changed their homepage - and apparently they are right. Function checkFirstStart() in content/vid.js will send a ping to zugo.com (register installed toolbar, com.VidBar.ServerPings.onInstall() call) and open the "welcome dialog" (com.VidBar.WelcomeDlg.OpenWelcomeDialog() call). Note that the latter is done in addition to opening http://vids.st/success.html in a tab - the welcome dialog is only related to the toolbar, not to the original extension. The welcome dialog (content/welcome.xul) features two pre-checked checkboxes, one will change the browser homepage, the other changes the selected search engine. Careless users who simply click away annoying modal dialogs popping up on browser startup (meaning almost all users) will accept this configuration change without even noticing. IMO all this is violating "no surprises" policy which is clearly proven by user reactions.

I would also recommend that somebody with the necessary rights does a search across all add-ons - this might not be the only case of bundling with the Zugo Toolbar.
Apparently, a Bing Toolbar add-on by Zugo Ltd. was hosted on AMO as add-on 54039 but was removed (disabled?). Interesting...
The author was warned about it on April, but no new version has been produced since. Given that the author hasn't responded quickly, I've moved the add-on back to the sandbox. Keeping this open until I can reach the author and get a response.
Assignee: jorge → nobody
Component: Add-on Security → Policy
Priority: -- → P3
QA Contact: security → policy
Target Milestone: --- → 5.12
-> jorge because I'm triaging nobody@ bugs
Assignee: nobody → jorge
The author replied about a month ago, promising a new version. There's nothing yet, but the add-on is in the sandbox, doing much less damage.
I'll keep this open for a month or so, and disable the add-on if there's no fix in sight.
Status: NEW → ASSIGNED
Moving to 5.12.2
Target Milestone: 5.12 → 5.12.2
No new version since April. I disabled the add-on.
-> FIXED.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: 5.12.2 → 5.12.1
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.