Closed Bug 605104 Opened 15 years ago Closed 15 years ago

Disable and blocklist IE Tab Plus 1.95.20100930 -- an adware WindowShopper found in the latest version

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kohei, Unassigned)

References

(
URL
)

Details

There are many reports on the bundled adware.
Summary: Disable IE Tab Plus → Disable IE Tab Plus 1.95.20100930
Summary: Disable IE Tab Plus 1.95.20100930 → Disable and blocklist IE Tab Plus 1.95.20100930 -- an adware WindowShopper found in the latest version
https://addons.mozilla.org/en-US/firefox/addon/52809/ Author has uploaded a new version which claims is clean. It'll need verification though.
(In reply to comment #1) > https://addons.mozilla.org/en-US/firefox/addon/52809/ This looks clean, the SuperFish Window Shopper-related files have been removed, but this is served as a different add-on. Admins should disable the original one, id=10909, anyway.
(In reply to comment #1) > https://addons.mozilla.org/en-US/firefox/addon/52809/ > > Author has uploaded a new version which claims is clean. It'll need > verification though. The original add-on that is the subject of this bug report still contains spyware that has was pushed to users' systems without proper notification or consent during the upgrade process. Mozilla AMO needs to seize this add-on account and publish a release that rolls back these changes.
Severity: normal → critical
Component: Administration → Blocklisting
QA Contact: administration → blocklisting
(In reply to comment #3) > Mozilla AMO needs to seize this add-on > account and publish a release that rolls back these changes. That's not going to happen. There are only a few options AMO staff can take: 1) Move all the bad versions of the original IE Tab Plus to the Sandbox. 2) Delete all trace of the original IE Tab Plus from AMO if option 1 is not plausible. 3) After option 1 or 2, blocklist the original IE Tab Plus so that affected people can be notified and take action. Finally the dev should be given a chance to answer concerns.
This add-on has been reviewed by the AMO Editors team (I reviewed it) and was carefully re-reviewed (by myself and others) when the claims of spyware were brought up. The add-on is not spyware, and including ads is not against our policies, provided that the add-on is transparent about it. We identified a few areas where the add-on needs to be updated to improve in that regard and the developers were contacted about it, but in general we're OK about the way they handled this inclusion. I'm not sure how to resolve this, I guess INVALID works.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
I question the previous assertion that “the add-on is not spyware” or that the “the add-on [has been] transparent” about its inclusion of adware/user tracking functions. This add-on was originally described to users as a tool for displaying Internet Explorer-rendered pages within FireFox, nothing more. That is what users consented to prior to the superfish release. However, the update is now reported to “capture all URLs/referrers visited as well as numerous other user statistics and transmit them back to superfish dot com via a hidden https XSS request”. It is also reported to insert code into pages that displays advertising to the user when visiting shopping sites. This new tracking and ad-display functionality was silently included in an update to existing users without their active and informed consent. This neatly fits the definition of spyware, adware and malware. This add-on, as well as the non-malware add-on ‘IE Tab 2’, is routinely used for accessing legacy sites that support only IE. Corporate users are numerous and especially vulnerable as IE support is frequently required when accessing financial and banking functions. With this update, sensitive internal corporate information is being funneled off wholesale to superfish to use as they please, again, without the user’s knowledge. This brings me to the crux of this post: Trust. The perception of the Mozilla platform is that it is safe. Users therefore believe that Mozilla-hosted add-ons are vetted and safe. Each available update pushed by AMO is assumed to be necessary, safe and consistent with the original stated function of the add-on. At this time, potentially up to 3 million IE Tab Plus installations are running unauthorized code without the user’s knowledge, in clear violation of Mozilla add-on policies. No apparent effort has been made by AMO to repair these compromised installations or address the brewing disgust at the add-on’s page and forums elsewhere. Rather than take steps to address the facts of this issue in any useful detail, this issue has been administratively swept under the rug, hardly a trust-building maneuver. Consider reopening this case and working to ensure that (1) all IE Tab Plus add-ons installed prior to the superfish bundling are brought into compliance with the add-on policy and that (2) these users have had an opportunity to explicitly opt in/out of the bundled tracking and advertising components.
The advertisements and URL reporting are only included for users who opt-in to the advanced features (ad blocking and cookie sync). Users who install the latest version for the first time must opt in to this, where it clearly states that the comparison shopping will be turned on with these advanced features. For users who already used this add-on and upgraded to the new version, if the advanced features were previously selected, a dialog appears when Firefox starts allowing users to either continue with the advanced features and comparison shopping or disable the advanced features and never turn on comparison shopping. We've asked the developer to make it more clear in this dialog that these users are now turning on comparison shopping, but as it stands, the post-upgrade dialog that lets users turn off advanced features and comparison shopping meets our requirements.
Just a side note - the dialog appears every time Firefox is started, or every time a new window opens (for example, when a site that I've allowed popups for pops up a window). And this is with Basic selected. Sure it might be an 'invalid' bug, but it's not what most of us opted in for when we originally installed the add-on, and the information about what the update does doesn't appear until after the update is performed.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.