Hi,
I’m trying to post a valid review on addons.mozilla.org for this addon. But after 1 day, the review suddenly disappears. I have tried several times, but it was always deleted afterwards. I have posted other reviews for other addons in the past and those never got deleted.
Here is the review in question:
Here is how the addon works:
Every time you open your webbrowser, this addon downloads a new configuration file directly from the website of the addon creator. This configuration file specifies which proxy the addon should use and on which sites the proxy should be enabled.
The advantage of this is that it’s very convenient for the end user.
But on the other side, this opens a mayor security hole:
If the server of the addon creator gets hacked, a hacker could place a malicious configuration file on the server. There, he could specify his own webserver as the proxy and configure the addon in such a way that the proxy is enabled on all websites, not just YouTube. Then, the hacker could basically spy your complete internet traffic, perform man-in-the-middle attacks and so on.
This is a very likely scenario, because:
- This is what experts assume has happened to the predecessor, “YouTube Unblocker”. It had a similar architecture and there all of a sudden a malicious configuration file appeared on the server compromising the browser of the user.
- The addon developer is just a hobbyist, not a professional. Therefore the chance that a hacker could find a way to get into the server of the addon creator is very high.
- The addon itself does not perform any sanity checks of the configuration file, it does not check the signature of the configuration file, etc. so it is very vulnerable to this kind of attack.
Did you find anything offensive or abusive in this review?
Please note that this is NOT a bug report, but rather a review about the safety of this addon. The author is already aware of this problem and he told me that he refuses to change anything about this.
Is it not allowed to post critical reviews or what’s going on here?