Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings (softpedia.com)

Posted by timothy on from the you-crossed-the-line-but-then-erased-it dept.

An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.

19 of 112 comments (clear)

  1. Good on Mozilla by Anonymous Coward · · Score: 2, Interesting

    Please publish the names of the authors, so we know not to ever install anything written by them ever again.

  2. Re:Let THE USER Decide by epyT-R · · Score: 2, Interesting

    Well, on the one hand, it's good to know that there was possible bad behavior, but on the other, the trend of vendors locking down their ecosystems is hurting those who do not wish to accept whatever they're willing to push through the needle.

  3. Re:Let THE USER Decide by Kremmy · · Score: 5, Insightful

    What, are you a malware author or something? Remove this backdoor garbage from official add-on repositories.

  4. Security design-flaw in Firefox by Anonymous Coward · · Score: 5, Insightful

    It should not have been possible that an add-on can change security settings to begin with.

    1. Re:Security design-flaw in Firefox by bloodhawk · · Score: 4, Insightful

      Then the user should be asked and CONSENT to changing the security setting. Allowing any addon to do this without the users knowledge is most definitely a design flaw.

    2. Re: Security design-flaw in Firefox by Anonymous Coward · · Score: 3, Interesting

      Security relevant settings should of course be changeable. But they should only be changed by the user, and only via native browser UI, or maybe by explicit opt-in permission from the user via native browser UI. I say maybe because is already dangerous to let users grant that kind of permission. Firefox is for the general population, people who have been trained to give anything they install sweeping permissions without even reading the boilerplate.

    3. Re:Security design-flaw in Firefox by chefmonkey · · Score: 2

      Well, sure. The issue is that add-ons have historically been loaded into the same security context as the rest of the browser code, which means they could literally do anything. The recent move towards having a better-defined API -- one that would prevent the kinds of things you think should be prevented -- is being done in large part to make this a far more tractable problem to deal with.

      Of course, as soon as there's any noise about preventing add-ons from doing literally anything they want to your computer, Mozilla is painted as control-freak fascists out to destroy Firefox forever. So it's kind of a rock-and-hard-place situation.

  5. GJ by ZeRu · · Score: 2

    When I read the first sentence, I thought to myself that reasoning behind this was some corporate/copyright bullshit. But looks like Mozilla did a good job on this!

    --
    If you post as an AC, don't expect me to spend a mod point on you.
  6. Re: Let THE USER Decide by Anonymous Coward · · Score: 5, Informative

    "The add-on remains available through its homepage."
    The user still can decide. Mozilla only removed it from their add-on marketplace, which is IMO the correct action and certainly not any kind of overreach. That's like saying Google is wrong for banning Android apps from the Play Store which root your phone - it's not, they have policies and those apps knowingly violated them; if you still want those apps side loading is available.

  7. I didn't realise this add-on existed... by 91degrees · · Score: 2

    Now I want it. Except without crippling my security.

    Is there an alternative?

    1. Re:I didn't realise this add-on existed... by jrumney · · Score: 2

      Is there an alternative?

      Newsflash: people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either. If you still want alternatives, tread carefully.

    2. Re:I didn't realise this add-on existed... by cdrudge · · Score: 3, Interesting

      people who write ad-ons that do not respect the rights of publishers most likely have no respect for your rights either.

      So authors the various ad blockers, NoScript, Ghostery, etc aren't respecting your rights when they also don't respect the publisher's rights, blocking all the crap the publishers include? How am I suppose to live with myself and sleep at night violating the publisher's right to violate me?

  8. COB: Corporate Overreach Blocker has detected.... by TapeCutter · · Score: 2

    As the smartest guy on the internet you probably already have my patented corporate overreach blocker installed. As you probably know it has been banned from freedom hating corporate repositories, meaning my elite followers are forced to download it from my exclusive website. What you may not know is that I just finished uploading the new version. The new version of the banned plugin can now shrink corporate overreach from the most powerful multi-nationals in the world down to the size of Donald Trump's fingers. It's really important that you and all your loved ones download the latest version NOW!!!! - My corporate spy team are telling me that the censors at google are about to delist my website, not sure when that will happen, it could be hours or days, but when it does happen I will be forced to move operations onto the dark web.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  9. Re:Let THE USER Decide by William+Baric · · Score: 4, Insightful

    I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.

  10. Re:Let THE USER Decide by paulatz · · Score: 3, Insightful

    The FA says you are still allowed to infect your pc with all the malware you want from the addon homepage. Did you try to RTFA but were stopped by ad popups?

    --
    this post contain no useful information, no need to mod it down
  11. Re: Let THE USER Decide by bickerdyke · · Score: 4, Insightful

    The user CAN NOT decide if the probably unwanted stuff is slipped to him secretly.

    It would be different if the user was warned during plugin installation "Hey, we're going to mess with your browser security setting and will install stuff that would trigger your virus alert, but - just to avoid that confusion - we will disable your antivirus while we're at it. OK?"

    THAT would be "let the user decide".

    --
    bickerdyke
  12. Re:other browsers with Firefox-like add-ons by johanw · · Score: 2

    Try a Firefox clone like Palemoon http://www.palemoon.org/ . The flexibility of Firefox but without the would-be Chrome UI crap.

  13. Re:other browsers with Firefox-like add-ons by arth1 · · Score: 5, Informative

    Or you could just install Classic Theme Restorer, since palemoon isn't 100% compatible with firefox addons and made by amateurs.

    From a security point of view, Palemoon failed even at step one, installation. Its Linux installer *requires* that the system is set up for gratuitous sudo. Anything that asks for a system password during installation is something I will not install. And a system password that for an account that is set up to have root access for any command when the account password is given? No, just no.

    (And never mind that they can't be bothered to list the prerequisites either.)

  14. Re:other browsers with Firefox-like add-ons by sexconker · · Score: 4, Insightful

    It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.

    It does.

    Programs that aren't written by morons should ask you if you want to install it for the current user only (no UAC required) or for the whole system (UAC required).

    For the user, HKEY_CURRENT_USER\Software in the registry is like the opt directory.
    But so is %USERPROFILE%\AppData\. And in AppData you have Local, LocalLow, and Roaming.

    The %APPDATA% variable points to Roaming by default, while the Local directory is for shit specific to the PC (shouldn't roam), or is too big to roam. LocalLow is a "low integrity" directory. Allegedly things like plugins and add-ons should store their shit there and not be able to write to the Local directory.

    For the system, you have HKEY_LOCAL_MACHINE and %ProgramData%.

    The problems are:

    1 - Morons write programs and demand full access to the whole system regardless of whether or not they need it.

    2 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the registry, in both HKLM and HKCU. Even when it's documented, it's fucking wrong (I'm looking at you, Adobe).

    3 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the the various %USERPROFILE%\AppData\ folders and the %ProgramData% folder .

    4 - Morons write programs and store even more configs in the program's installation folder or other random places (like the Documents library).

    Any one of these things alone is annoying, but programs often do all 4. This makes figuring out configs even harder - does the registry override settings.ini in the program folder? Or perhaps the profile in %AppData% wins out. What about the settings in %ProgramData%? Which registry settings are in HKLM vs HKCU? Why isn't anything in %AppData% or %ProgramData% or even the fucking registry cleared out when I uninstall?

    It's a mess because developers are morons and Windows lets morons make a mess of things in several ways.