Mozilla Removes 23 Firefox Add-Ons That Snooped On Users

An anonymous reader writes: Mozilla has removed 23 Firefox add-ons from its add-on store that snooped on users and sent data to remote servers, a Mozilla engineer told Bleeping Computer Friday. The list of blocked add-ons includes "Web Security," a security-centric Firefox add-on with over 220,000 users, which was at the center of a controversy this week after it was caught sending users' browsing histories to a server located in Germany. "The mentioned add-on has been taken down, together with others after I conducted a thorough audit of [the] add-ons," Rob Wu, a Mozilla Browser Engineer and Add-on review, told Bleeping Computer via email. "These add-ons are no longer available at AMO and [have been] disabled in the browsers of users who installed them," Wu said.

Hey lets remove the old addons.

[DarkRookie]

Cuz, you know, the new stuff is definitely secure and this is just an illusion,

Re:Hey lets remove the old addons.

[slack_justyb]

Cuz, you know, the new stuff is definitely secure and this is just an illusion,

The old system was removed because:

One, the old system no one wanted to maintain it. Hard to keep a system secure when literally zero people want to work on it, Palemoon has some of the relics from the old system which means a lot of your addons should work there, but be warned that even they haven't kept 100% the old ways because...

Two, the old system sucked really bad. The old addon system is crap because it required way more tightly coupled pieces then should ever be needed. Yes, it was bad code, that should be said, Mozilla in the early days shipped bad code. By the time FF24 ESR came around, folks saw it as a good time to start breaking away from the old bad code because...

Three, you couldn't please everyone and new features took forever. All that super tightly coupled code meant that as soon as you changed that over there, person C's addon would break, fix it, and now person R over there has a broken issue related to feature ABC, fix that an now person Q is complaining about devs breaking feature XYZ. This was literally the norm with addons all of the time Bad code meant that the entire base was fragile and making sure addons worked between versions was becoming a nightmare, not only for FF devs but also for addon devs. Addon devs would just ask FF devs to just fix things and that led to...

Four, at some point the FF devs said screw fixing this crap. Palemoon devs I guess are more apt to fix old code than the FF devs were, but basically the FF devs looked at the task at hand and just said screw it. With no one else wanting to jump on board, they began putting together what would become the next version of FF.

Now here's the thing. These plugins were sipping data under the old system and they went undetected because the FF devs are busy trying to fix ABC that multitab dev over there is crying about. Now that the FF devs don't have to worry about that crap, yeah, they've got more time to carefully look at addons to see what's going on within. Addon security is indeed there, but only to a point. Addons aren't going to start grabbing files outside the sandbox and sending them to remote host, at least as far as anyone knows at the moment but bugs happen all the time. But all addons, even the old system, allowed your current URL request to be sent to remote host. If you use Palemoon, Chrome, Edge, or whatever, pretty much all addon systems allow to some degree the ability to ship your current URL to the addon for additional processing. The only way they can be made secure is to have eyeballs on the addons or if you just don't use addons at all, but you will not ever have an addon system that doesn't give the URL to the addon and trust them to not be malicious with it, unless you/yourself write said system. At some point, the end user needs to educate themselves about what the heck they're doing on their system. All addon systems are leaks of your data within your browser's sandbox. Using addons opens you up to a lot. If that's not kosher with you, then you ought not to use addons.

Re:Hey lets remove the old addons.

That's a long comment to say "things have changed at FF and not for the better". Every (and I mean every) change that has come out of Mozilla lately has been horrible. The browser is larger than before, slower than before, has less useful extenstions, and has less configuration options exposed. Definitely not on the right track anymore.

Re:Hey lets remove the old addons.

[EzInKy]

Okay, but the main thing I want is a status bar on my desktop computer, the ability to easily add bookmarks with just a click or two, and I certainly don't need a "pocket" connecting to websites I want nothing to do with.

Re:Hey lets remove the old addons.

[slack_justyb]

That's a long comment to say "things have changed at FF and not for the better".

Depends on your definition of better. The code base is a lot cleaner and a lot of the underlying components no longer have crazy interactions with each other. They aren't quite to the point of easily being replaced in and out (loosely coupled) but they are a whole hell of a lot simpler to make changes in one without completely breaking the others. I'll side step multiple threads and what not. But compared to where the code base was, the browser's code is a whole hell of a lot better.

The browser is larger than before, slower than before

I don't know what you mean in size, pure size, RAM usage?? I'm going to go with RAM since that usually what most people point a finger to. Memory usage is an issue in all browsers, and that's not an excuse. However, memory issues have plagued Firefox for quite some time now, here's one example for starters. RAM usage in browsers is a complex topic that's not just a "Mozilla, Google, Microsoft" changed something and now everything breaks. Browsers are being asked very complex things by JavaScript frameworks, video decoding, complex style sheets, web fonts, and so on. I'll say, I don't have a clear answer for you on that. The web is increasing in complexity and pretty much a Browsers is being asked to be a small self contained VM. Firefox specifically has had to make shifts in what to prioritize for what goes on in the browser. So at one point there was a massive outcry of freezing and slowness, trade off for dealing with that to some extent is more RAM usage. There's a balance to be struck for sure, but even all high and mighty Google engineers have yet to really tackle that well. I will say this, that Palemoon has off and on change with this. Some releases will focus on CPU enhancements and other will focus on RAM enhancements and you can tell which one is which by looking at htop. The web is astoundingly complex and perhaps it shouldn't be that way, or maybe it should be that way and browser devs have just yet to crack a meaningful balance between CPU/memory. As for the slower than before, I've not noticed that, but it really depends on your setup. Again, that has a lot to do with, "can the browser offload tasks to something else?" Which it's still insane to me that we've gotten to a point where webpages are so complex that we need to have offloading workers, but I guess I'm just an old fart.

has less useful extenstions[sic]

Yeah, you might want to read the article you are posting to for that. Devs can do one of two things. One, go ahead hack together an API for that and watch as it is slowly abused to death and we go right back to bad code in the code base. Two, actually put together a well thought out API and stress test it over time to develop a model that is one that will work well without a million hacks. By all means, if there's some contribution you'd like to add, the devs are all ears. But by no means, should the devs hack something together, just so your purple hug bear bar multi-tab manager addon will work. Want to speed that process up? Feel free to send anyone worth their salt who won't duct-tape their API up to make it work over.

has less configuration options exposed

Fun thing, Chrome has a ton of options exposed. Number one complaint I hear from that team is the fact they had to implement a search bar for the configuration since there are so many dang options. Is there a balance? Oh you betcha! No arguments there, but it's literally, "you will always be burned by someone" type thing. about:config and just deal. If there's something you really, really want to see. Put it up on Bugzilla, make a strong argument for it. I'm not saying you are wrong on this, but it's just a such a touchy thing that devs really want a strong argument for

List

[bill_mcgonigle]

read TFA for methods and BMO link.

Popup-Blocker
Facebook Bookmark Manager
Facebook Video Downloader
YouTube MP3 Converter & Download
Simply Search
Smarttube - Extreme
Self Destroying Cookies
Popup Blocker Pro
YouTube - Adblock
Auto Destroy Cookies
Amazon Quick Search
YouTube Adblocker
Video Downloader
Google NoTrack
Quick AMZ

Re:OPTIONAL

[Desler]

How would they have been able to choose when the behavior was purposefully hidden from the users?

Is one of the addons Pocket?

[xack]

pocket, amazon and systemd, ruining your linuxperience.

Re:OPTIONAL

[Desler]

Pretty sure most users disagree and are perfectly fine with malware being disabled on their computers.

Re:Implications

[jbmartin6]

I use separate instances of Portable Firefox for the same purpose. Also true, browser extensions have to be treated like any untrusted program these days given how much we do from within the browser.