Closed Bug 750119 Opened 12 years ago Closed 10 years ago

"Foxlingo" add-on sends all visited URLs (incl. HTTPS) to http://api??.thetrafficstat.net

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
2014-10

People

(Reporter: maor_pt, Assigned: jorgev)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120420145725

Steps to reproduce:

I installed Foxlingo (https://addons.mozilla.org/en-US/firefox/addon/foxlingo-translator-dictionary/).
The extension version is  2.7.3, but the problem my be reproducible on other versions.
I use Firefox 12 on Windows 7, but is reproducible also on Firefox 11, and maybe on other versions of Firefox




Actual results:

With Foxlingo extension installed, the firefox sent all visited urls (full urls including HTTPS urls) to : http://api??.thetrafficstat.net.
Url sent when I writing this bug:
http://api25.thetrafficstat.net/related?s=175&md=21&pid=null&sess=S77856895407477&q=https%3A%2F%2Fbugzilla.mozilla.org%2Fenter_bug.cgi%23h%3DbugForm%257CFirefox&prev=https%3A%2F%2Fbugzilla.mozilla.org%2Fenter_bug.cgi%23h%3Ddupes%257CFirefox&link=1&hreferer=https%3A%2F%2Fbugzilla.mozilla.org%2Findex.cgi&sub=Toolbar1


This should be marked as spyware!



Expected results:

The Firefox should block Foxlingo extension until the Foxlingo developers solve the problem!
Thanks
Component: Untriaged → Security
Seems like others also second this statement: https://addons.mozilla.org/en-US/firefox/addon/foxlingo-translator-dictionary/reviews/

Moving to "add-ons" product.
Component: Security → Add-on Security
Product: Firefox → addons.mozilla.org
QA Contact: untriaged → security
Summary: Foxlingo add-on is spyware → "Foxlingo" add-on sends all visited URLs (incl. HTTPS) to http://api??.thetrafficstat.net
Version: 11 Branch → unspecified
Andrew, please have a look.
Confirming.  The code appears (perhaps falsely) to be part of the similarsites functionality but I can't see anywhere to turn off or on similarsite, nor any suggestions of any similar sites.

I forced the addon to deactivate its 'from mozilla' mode (which disables some of the 3rd party addon installation) but it still doesn't offer to install or enable/disable similarsites.

The add-on is currently preliminary reviewed only and their latest update in the queue doesn't change this functionality (though does change some of the random hash code in the offending tabslistener.js file).

Jorge: is this serious enough to disable and require changes for preliminary review?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Lets require them to change it for the next version and see what they have to say about it.
I've rejected the pending version asking them to remove or justify the functionality.
Is this still the case with version 2.7.6?
I noticed in the settings of 2.7.6 that the "extra features (adsupported)" checkbox cannot be turned off.  I uncheck it but the next time edit the addon's settings, it is checked again.
The options dialog appears to be broken - the pref (identifysitelanguage) isn't changing on Save.
Andrew or Kris, what's the status of this bug?
(In reply to Jorge Villalobos [:jorgev] from comment #9)
> Andrew or Kris, what's the status of this bug?

From looking at the emails we got, the last version I reviewed I rejected; a discussion was had between the developers, you and Kris, where you agreed to allow the functionality. 

They submitted a new version; they asked for confirmation on 27th Sept (no reply); Kris rejected on 2nd Oct.  I can't say how close the version Kris rejected was to what you agreed though.
> where you agreed to allow the functionality

Could you please explain to our mere mortals why would such functionality be allowed?

Thank you.
So, to be clear, the last version I rejected does not seem to do this. It does inject scripts into all web pages, if that's been opted into (which is more than a bit shady, since people are opting into ad injection into search results and not script injection into every page they visit, but...)

There are some other issues that I'm not remotely happy about, though.
The add-on is no longer available on the add-ons site because of lack of updates and overall bad quality. They are free to submit new versions as long as they address the pending problems.
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-10
The add-on is no longer available https://addons.mozilla.org/en-US/firefox/addon/foxlingo-translator-dictionary/
Screencast: http://screencast.com/t/cCver9CI8EF
Closing.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.