AVG bypasses Firefox add-on user protections (was: Third-party install page is not shown after a second Firefox restart)

NEW
Unassigned

Status

()

--
major
6 years ago
a year ago

People

(Reporter: jorgev, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [3rd-party-bustage])

(Reporter)

Description

6 years ago
This was brought up in a governance discussion: https://groups.google.com/d/msg/mozilla.governance/9u9wGAcGVRM/fwXufERmfc8J, and demonstrated on this video: http://www.youtube.com/watch?v=3hw2EaXBRBs (relevant part begins at 1:24).

The Ask toolbar installer installs 2 extensions. The video demonstrates that both extensions are installed without the 3rd party install dialog appearing for either one. On the video, you can see Firefox being launched and then immediately closed. It's possible that restarting Firefox is sufficient to dismiss the dialog, which would be bad. The installer could be doing something else other than just restarting Firefox, though.

We need to figure out why the install page isn't showing up and whether the installer is intentionally exploiting this to its advantage.
Quitting then starting Firefox again is sufficient to dismiss the tabs that show the install confirmation, but that would leave the extensions disabled. If they're also clicking the checkboxes before quitting then that'd get them installed.
(Reporter)

Updated

6 years ago
Blocks: 751850
This is Alex Vincent from Ask.  This conversation is cropping up in a few different forums and I wanted to clear up the confusion. 

In the aforementioned implementation, it is not Ask that is bypassing the opt-in, but rather AVG that¹s doing it.  Try it yourself by removing the AVG Toolbar from the install:

(1) Go to Soft32.com
(2) Search for Ask Toolbar and download it
(3) When you’re presented with the AVG offer, select “custom installation” and unselect both check boxes before hitting “next”.

The AVG Toolbar won’t get installed, and the about:newaddon page will appear.

As I mentioned in my response to the governance discussion, this practice is not new for AVG; it has been documented before in bug 751850 comment 6.
So, I did some late-night sniffing around. It is indeed AVG Secure Search doing this, by:

* Closes Firefox if it's already open.
* Finds any Firefox profile (I say "any" because it doesn't seem to read profiles.ini) and writes the following prefs to prefs.js:
  user_pref("browser.search.defaultenginename", "AVG Secure Search");
  user_pref("browser.search.selectedEngine", "AVG Secure Search");
  user_pref("extensions.autoDisableScopes", 0);
* Starts Firefox. Since extensions.autoDisableScopes is set to 0, any newly detected addon is automatically installed and enabled.
* Closes Firefox as soon as it's loaded.
* Opens prefs.js again, and reverts the value for extensions.autoDisableScopes
* Starts Firefox

Additionally, it also creates the file searchplugins/avg-secure-search.xml in the Firefox application directory.



I tested all this by installing Miro Video Converter with the default install settings in a clean VM running Windows 8. I monitored file/registry activity using Process Monitor (from Sysinternals), which also showed that:
* Miro's installer seems to read profiles.ini and cookies.sqlite (AFAICT, it does so by loading Firefox's mozsqlite.dll)
* AVG's installer seems to read search.sqlite and extensions.sqlite
* AVG's installer looks for the existence of the file searchplugins/avg_igeared.xml in the profile
This is horrifying.

Comment 5

6 years ago
(In reply to Blair McBride (:Unfocused) from comment #3)

This is unacceptable and fits my definition malware. We should blocklist AVG and if possible do a hotfix update to remove any AVG toolbars that were installed this way.

Kev, can you contact AVG and let them know about this? 

Jorge, can you help us identify when this began (which AVG version first started bypassing our protections).

Comment 6

6 years ago
(In reply to Asa Dotzler [:asa] from comment #5)
> (In reply to Blair McBride (:Unfocused) from comment #3)
> 
> This is unacceptable and fits my definition malware. We should blocklist AVG
> and if possible do a hotfix update to remove any AVG toolbars that were
> installed this way.
> 
> Kev, can you contact AVG and let them know about this? 
> 
> Jorge, can you help us identify when this began (which AVG version first
> started bypassing our protections).

We should also report this as malware to AV vendors. Do we have good contacts at Microsoft, Norton, and McAfee?

Updated

6 years ago
Summary: Third-party install page is not shown after a second Firefox restart → AVG bypasses Firefox add-on user protections (was: Third-party install page is not shown after a second Firefox restart)

Comment 7

6 years ago
(In reply to Asa Dotzler [:asa] from comment #6)
> We should also report this as malware to AV vendors.

Last I heard, AVG was an AV vendor, even one of the larger ones.
Whiteboard: [3rd-party-bustage]
(Reporter)

Comment 8

6 years ago
(In reply to Asa Dotzler [:asa] from comment #5)
> Jorge, can you help us identify when this began (which AVG version first
> started bypassing our protections).

Unless AVG keep an archive will all past installers (and I doubt that), I don't think we'll be able to identify which version range is affected. What we can do is block the major version branch, which is the most likely to be affected. That would be 11.*, based on the video.

Blair, Verdi or others: can you check if the extension id is avg@toolbar or avg@igeared?

Comment 9

6 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #8)
> (In reply to Asa Dotzler [:asa] from comment #5)
> > Jorge, can you help us identify when this began (which AVG version first
> > started bypassing our protections).
> 
> Unless AVG keep an archive will all past installers (and I doubt that), I
> don't think we'll be able to identify which version range is affected. What
> we can do is block the major version branch, which is the most likely to be
> affected. That would be 11.*, based on the video.
> 
> Blair, Verdi or others: can you check if the extension id is avg@toolbar or
> avg@igeared?

Can we simply ask them "when did you start this behavior? if you'd like to ever be allowed to push your add-on to our users, you'll tell us and let us block those installs." or something like that? Why are we pussyfooting around here? This is malware tactics.
(Reporter)

Comment 10

6 years ago
I've filed bug 774429 to blocklist the AVG Safe Search Toolbar. Please do not comment on that bug unless really necessary, as we expect many confused users to end up there. I'll dupe this bug once the block is in place. I'll file a separate Tech Evangelism bug to track the search settings / homepage issue.
(Reporter)

Comment 11

6 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #10)
> I'll
> file a separate Tech Evangelism bug to track the search settings / homepage
> issue.

Bug 774436.
You need to log in before you can comment on or make changes to this bug.