Screenshot Pimp extension tricks users into changing their homepage and search engine

RESOLVED FIXED in 5.12.1

Status

defect
P3
normal
RESOLVED FIXED
9 years ago
3 years ago

People

(Reporter: gaubugzilla, Assigned: jorgev)

Tracking

unspecified
5.12.1

Details

()

Reporter

Description

9 years ago
It seems that Screenshot Pimp extension is essentially a repackaged version of Zugo Toolbar - which is very unexpected as you can see from http://support.mozilla.com/en-US/forum/1/615209 for example, users have a very hard time figuring out where this toolbar came from. Some of the reviews also claim that this extension changed their homepage - and apparently they are right. Function checkFirstStart() in content/vid.js will send a ping to zugo.com (register installed toolbar, com.VidBar.ServerPings.onInstall() call) and open the "welcome dialog" (com.VidBar.WelcomeDlg.OpenWelcomeDialog() call). Note that the latter is done in addition to opening http://vids.st/success.html in a tab - the welcome dialog is only related to the toolbar, not to the original extension. The welcome dialog (content/welcome.xul) features two pre-checked checkboxes, one will change the browser homepage, the other changes the selected search engine. Careless users who simply click away annoying modal dialogs popping up on browser startup (meaning almost all users) will accept this configuration change without even noticing. IMO all this is violating "no surprises" policy which is clearly proven by user reactions.

I would also recommend that somebody with the necessary rights does a search across all add-ons - this might not be the only case of bundling with the Zugo Toolbar.
Reporter

Comment 1

9 years ago
Apparently, a Bing Toolbar add-on by Zugo Ltd. was hosted on AMO as add-on 54039 but was removed (disabled?). Interesting...
Assignee

Comment 2

9 years ago
The author was warned about it on April, but no new version has been produced since. Given that the author hasn't responded quickly, I've moved the add-on back to the sandbox. Keeping this open until I can reach the author and get a response.
Assignee: jorge → nobody
Component: Add-on Security → Policy
Priority: -- → P3
QA Contact: security → policy
Target Milestone: --- → 5.12
-> jorge because I'm triaging nobody@ bugs
Assignee: nobody → jorge
Assignee

Comment 4

9 years ago
The author replied about a month ago, promising a new version. There's nothing yet, but the add-on is in the sandbox, doing much less damage.
I'll keep this open for a month or so, and disable the add-on if there's no fix in sight.
Status: NEW → ASSIGNED
Assignee

Comment 5

9 years ago
Moving to 5.12.2
Target Milestone: 5.12 → 5.12.2
Assignee

Comment 6

9 years ago
No new version since April. I disabled the add-on.
-> FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: 5.12.2 → 5.12.1
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.