Is it legal to have an addon that after the installation urges users to install a second addon outside AMO?


#1

Hi,

after the installation, a website opens and tells users that they can support the development of this addon by installing a second addon. Then you will see advertisement while surfing and thus generate revenue for the developer. However, the second addon is hosted outside of AMO. The second addon contains routines that are normally banned by Mozilla, i.e. dynamically loading JavaScript code from the developers website. Users aren’t told the implication of installing this second addon, there is no privacy policy or terms of use for this second addon. I actually had to look at the source code to find out what is does.

Is this allowed? Shouldn’t the main addon be banned from AMO? At least, this is very bad style and I don’t think this kind of addon should be allowed by Mozilla!

P.S. The addon is question is: https://addons.mozilla.org/de/firefox/addon/youtube-unblocker-plus
You can safely install the main addon, then watch the website which opens autmatically. Don’t click anything there! Instead, analyze the source code of the website and linked “support addon” to verity what’s going on. (You may use Google Translate for this website)


(erosman) #2

I have passed your concerns to Admin.


#3

I would also recommend that you blacklist this unofficial “support addon”. This can easily develop in something like YouTube Unblocker (the older version without “Plus”). You remember? https://www.gizmodo.com.au/2016/03/firefoxs-youtube-unblocker-add-on-removed-by-mozilla-for-bad-behaviour/
Here again we have the case that source code gets dynamically loaded from a specific URL. If this URL gets hacked or replaced, everything is possible.

Oh and by the way, there is also a second addon by the developer with the same issue called “YouTube Download Plus”. However, stupidly I warned the developer that I am going to report the addon, therefore he changed the “after install” page. However, there are still thousands of users having this malicious, unofficial addon on their system.
Luckily, I still have a copy of that addon, so that you can diagnose it and find a way to remotely remove it from affected users.

I have attached both malicious “support” addons here:


#4

The developer now actually told me that you signed (hence officially allowed) his unofficial “support” addons despite that fact that they dynamically load code from remote websites. And he is correct, the addons have a valid signature, otherwise it wouldn’t be allowed to install the addon.

So what is this whole signature-system worth if you basically sign everything, even a blank check, where the developer can remotely inject everything into the addon?

Didn’t you learn anything?

YouTube Unblocker, WoT, ProxTube? Every once in a while, a malicious addon appears and then everyone is shocked. How could this happen? Why didn’t anyone warn us about this?

I think this is a huge design issue. How can you even decide that the addon is sane if the addon is just a wrapper for the content that’s stored somewhere else?


(erosman) #5

@jorgev … should be able to answer your questions.


(Jorge) #6

Can’t really respond without knowing the details of the cases you mentioned. We have rules against remote code execution. Sometimes we make exceptions, sometimes we make mistakes. We set a bar for security and try to stay on top of it. It’s not possible to have perfect security, and the actions to take in certain situations aren’t clear at all.