Closed Bug 903799 Opened 7 years ago Closed 7 years ago

BlockSite update adds privacy violation - add-on now "phones home"

Categories

(addons.mozilla.org :: Security, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: nagle, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

BlockSite, an old but unmaintained add-on to block a user-specified list of sites, has been taken over by "wips.com". Wips.com added code to make it "phone home" and report the user's browsing activity to somewhere, and this new version was pushed via automatic update in July 2013. 
Compare an older version of the add-on page for this add-on ("http://web.archive.org/web/20110610221727/https://addons.mozilla.org/en-US/firefox/addon/blocksite/") with the current version ("https://addons.mozilla.org/en-US/firefox/addon/blocksite"). 

There isn't even a privacy policy on the Firefox site. On the developer's web site, "wips.com", we find:

"NOTE: WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE, BUT PRIVACY IS IMPORTANT AT WIPS.COM, AND WE DO NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY WIPS.COM USER. ...

Wips.com may change any of the terms and conditions contained in this Agreement, including the Privacy Policy and other policies and guidelines governing the Service, at any time in its sole discretion."

This is way out of line. This add-on needs to be blocked, and all add-ons associated with "wips.com" re-reviewed. This should never have gotten through AMO. 

Reported here per Mozilla policy statement at "https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Add-on_guidelines?redirectlocale=en-US&redirectslug=Addons%2FAdd-on_guidelines"


Actual results:

Add-on was accepted, downloaded to hundreds of thousands of users, and is spying on them now. 


Expected results:

This add-on should have been rejected by AMO.
Component: Add-ons → Add-on Security
Product: Tech Evangelism → addons.mozilla.org
More info about addon:

The code that "phones home" is in "wipstats.js", and is initialized in "wips.js". The code appears to at least 1) generate a unique, persistent ID for the user at installation or first use, and 2) reports URLS/domains visited to "api.wips.com" as base 64 encoded JSON, along with the persistent user ID and some configuration-related information. There's no sign of code to suppress this behavior in private browsing mode, but I may have missed something.
Using MXR I found 63 add-ons containing the string "wips.com".
(In reply to Frederik Braun [:freddyb] from comment #2)
> Using MXR I found 63 add-ons containing the string "wips.com".
Wips.com has a generator which allows others to generate add-ons containing their code. There's some kind of payment scheme. They also have add-ons of their own, plus add-ons downloaded through their own "Showcase" site, bypassing AMO. 

The data collection code is different in different add-ons.  In their "TvExe" add-on, the "wipstats.js" file contains this code, which shows what data they're collecting:

everyUrlSubmitOnce: function(){
        var submit_url = 'https://stats.wips.com/v2/site';
        var r = new XMLHttpRequest();
        r.open("POST", submit_url, true);
        r.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 
        var submit_obj = {
            "user_guid": WIPS.a0019b.wips.getPref(WIPS.a0019b.C.client_guid),
            "url": this.pageDataSubmit.url,
            "id": this.pageDataSubmit.id,
            "ref": this.pageDataSubmit.ref,
            "load": this.pageDataSubmit.loadTime,
            "spent": this.pageDataSubmit.spendTime
        }
        r.send("data=" + WIPS.a0019b.encode64(JSON.stringify(submit_obj)).replace(/=/,""));
    }

So every URL viewed, the user's unique ID, the referrer, how long the page took to load, and how long the user spent on the page is sent to "stats.wips.com" in Prague, Czechoslovakia.
The stats feature is opt in, so it is acceptable per our policies. We're going to request the developers to improve the wording in the opt in page because it can be a bit confusing. However, all it takes is to click on the red button or just close or ignore the tab to avoid any stats gathering.

So, unless they're doing any tracking without an opt in, or they aren't following their own stated privacy policies, I don't think there's any action to take here.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Note absence of privacy policy.
Ref Mozilla "No surprises" policy:
https://addons.mozilla.org/en-US/developers/docs/policies/reviews#section-defaults

"Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)"

...
"These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."

That's clear enough.  An add-on CANNOT add "tracking" or "phone home" features after initial review and have it automatically downloaded.  

Many users are posting angry comments about this.  See
"https://addons.mozilla.org/en-us/firefox/addon/blocksite/"  The comments
indicate that the add-on blocks many popular sites by default unless you opt into
tracking.  

Change this bug status to "VERIFIED/OPEN", please.
(In reply to John Nagle from comment #5)
> Note absence of privacy policy.

We noticed that, thanks. We brought it up with the devs.

(In reply to John Nagle from comment #6)
> "These features cannot be introduced into an update of a fully-reviewed
> add-on; the opt-in change process must be part of the initial review."

That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.


(In reply to John Nagle from comment #6)
> Many users are posting angry comments about this.  See
> "https://addons.mozilla.org/en-us/firefox/addon/blocksite/"  The comments
> indicate that the add-on blocks many popular sites by default unless you opt
> into
> tracking.

Has this been verified?
Do you really want to take the position that this form of spyware is now OK with Mozila? 

"As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission. Mozilla has a longstanding history of protecting users online and was named the Most Trusted Internet Company for Privacy in 2012 by the Ponemon Institute. We cannot abide a software company using our name to disguise online surveillance tools that can be -- and in several cases actually have been -- used by Gamma's customers to violate citizens' human rights and online privacy." - Alex Fowler, Mozilla privacy lead, on Techdirt, May 3, 2013, on the Gamma Industries FinSpy incident.

Did Fowler sign off on this "we don't enforce that policy" policy change?  This will be seriously embarrassing for Mozilla once the press gets hold of it.
Our position is that users should have control over their privacy and online experiences. By requiring all of these choices to be opt in, we're putting the decision in the users' hands. It is up to users to decide if they want to participate in this or not.
Mozilla users unhappy about this: 
http://forums.mozillazine.org/viewtopic.php?f=38&t=2737553

Some are trying to figure out how it was installed, and claim they didn't install it.
well, something needs to be done about this.  It is an exploit begging to be taken advantage of.  It doesn't matter to users if the tracking is opt-in or not, the upsetting part is that this thing appears to come out of nowhere because this extension hasn't "worked" for them for 2 years now.

Millions, probably tens of millions of users have extensions installed which were automatically disabled because they were never properly updated for Firefox 4.0. So apparently all someone has to do is gain access to the owner's AMO page, either by purchase, freely, or stolen, and "update" the software for current versions and it will not only automatically update, but automatically enable itself with no warning.  Maybe the "safeguards" at AMO would keep baddies from abusing this on the AMO site, but what about extensions hosted off-site?  

And what if someone is well-meaning and takes over a long-dead project and makes it "compatible" without fixing anything?  What if it's one of those old extensions that used to cause severe memory problems, slow-downs, break other extensions, break websites, etc?

Shouldn't the Addon Manager *really* disable extremely out-of-date extensions, and not just this "soft" disable?
(In reply to Frederik Braun [:freddyb] from comment #2)
> Using MXR I found 63 add-ons containing the string "wips.com".

Sounds like another "Conduit" situation developing here, an automated extension generating commercial company running amok at AMO.

I don't know which is worse, a "company" taking over an existing extension and then introducing features which collect data and transmit that data, or AMO not following its own stated policies and then defending the breach of those policies by saying they don't enforce all their policies because they're "outdated. 

Do you have a list of which policies you can't be bothered with enforcing?
Right, one of the problems here is that users forgot they had it installed, so the opt-in and the add-on being enabled again worked together in confusing users. Which is why many are saying they don't know how they got it or think it was silently installed, which isn't true in any case, as far as we know.

I should also point out that the new version of the add-on has been trying to pass review for almost a year, and it has been rejected and resubmitted multiple times due to quality concerns. So, there's a significant gap between the add-on changing hands and the new version being approved, but part of it was due to our requirements and queue waiting times.

(In reply to patrickjdempsey from comment #11)
> Shouldn't the Addon Manager *really* disable extremely out-of-date
> extensions, and not just this "soft" disable?

Well, the assumption is that users want to be updated about their incompatible add-ons when a compatible version becomes available. This is generally the case. I do agree with you that we should do a better job of telling users which add-ons they have installed, either enabled or disabled, so they keep their add-ons list clean, but that's a separate issue.
To be clear, the add-on was never disabled as incompatible for these users. Even before WIPS bought the add-on, the compatibility was overridden to support the current version. What's changed is that on the first run after the update, users are seeing a screen asking them to opt into the tracking.
You need to log in before you can comment on or make changes to this bug.