Crvtck.com-tracker in addons "Screengrab!" and "S3.Google Translator"

privacysecurity

#1

I have found trackers in the addons “Screengrab!” and “S3.Google Translator”:

The addon “S3.Google translator” (at least version 5.35) and “Screengrab (fix
version)” (at least version 0.99.12) do contain a tracker. I tested with tis versions because I use Pale Moon browser, and not all Firefox addon (versions) are compatible with Pale Moon. But since it is a tracker I suspect it to be also in later versions and successor addons.

I report it here, to raise awareness for the responsible people so that they can investigate and take measures.

Here is what I observed:

When one of the addons is enabled, whenever I visit a new domain in a new tab (or revisit an
old one after some longer time), this is logged to crvtck.com, possibly
containing other data:

I see HTTP requests going out to URLs of the form

https://crvtck.com/get?key=<key>&out=https://kauflandstiftung.demdex.net&ref=https://www.kaufland.de&uid=o256&format=txt

<key> is a hex string with 32 characters.


#2

… I also notice POST requests to discount.s3blog.org:

http://discount.s3blog.org/addon.html?!POST:<string>

(Philipp Kewisch) #3

Thank you for the report. Please make sure you try this in the latest version though, as policy issues may have been fixed in the meanwhile.

For reporting policy violations, it is better to contact amo-admins [at] mozilla [dot] org. If you have any followup on this case please contact us via email.


#4

Thank you for your answer.

I cannot test it with latest versions, since I
use pale moon, and the latest versions are not combatible with pale moon
(or the author just does not care to add compatibility information in
the metadata).

And I don’t see it as my duty to take big extra measures (compile and
install firefox, configure it, …) to test more; it was already some
time to dig this one out and find a place where to report it.

Thank you for sending me the Email address to report policy violations.

On Tue, 5 Jun 2018 20:53:14 +0000, Philipp Kewisch
discourse@mozilla-community.org wrote about “Re: [Add-ons]
Crvtck.com-tracker in addons “Screengrab!” and “S3.Google Translator””:


#5

Reported.

Also going to public authorities responsible for privacy violations.

I am thinking to report this also to the public authority in charge for
privacy violations. I think this is a privacy violation since data
about which websites the user visits is sent to somewhere without the
user beeing informed and presented with an opt-in. And this would mean
that probably the Mozilla Foundation would me made responsible because
they actively distribute the violating addon.