One of 30 extensions is likely intermittently hijacking tabs

I don’t think an extension can update to a nonexistent version, but unless a block is deployed, it won’t be disabled or rolled back, either. Extensions have to be nominated for blocking through a separate process from review.

Version 2.3.1.0 · July 5, 2018 had a feature to “ask for feedback” every 7 days. That included opening the lzpv4rsmat(dot)com
Currently that does not result in automatic rejection and it is left to users to decided if the monetization system deployed by an add-on is desirable or not.

Version 2.3.2 · July 13, 2018 had more serious issues and was rejected the same day. Developer deleted his/her account after that.

Once all version of an add-on are rejected, the add-on will no longer update but it remains on users computers. If an add-on is blocked for serious issues (a totally different process by Admin) then it will be disabled on users’ Firefox as well.

1 Like

Reported: 14 years ago

The problem with this approach is that it’s extremely time-consuming for a user to determine which add-on is opening the new tab. There should be an easier way than process of elimination to detect monetization systems that are added in an update, especially when they can open tabs intermittently rather than when the add-on is actually used.

What’s the best way to submit this concern, since it’s not bug per se?

@caitlin should be able to advise on this issue.

2 Likes

My bet goes to “1-Click YouTube Video Downloader”

I have the same thing happening to me. Multiple tabs opening, fake flash update tabs.
All are usually identified by Norton or Malwarebytes and are blocked.

This is my work PC and I have all of 2 add-ons. Adblock plus and 1-Click YouTube Video Downloader.

I just deleted the possible offender.

@caitlin brought this up at a team meeting, then replied:

If you look at each extension listing on addons.mozilla.org, you might be able to narrow down which extension is the culprit to the ones that use the ‘new tab’ permission. Otherwise, process of elimination is the best way to identify the extension causing the unwanted behavior.

We currently don’t have a policy against this kind of behavior, but it’s something we might discuss more in the future if we see more users complaining about a poor experience.

Removing it stopped new tabs from opening for a week. When I removed it I installed “YouTube mp3 Downloader” from author “YouTube Download Tool” (there’s more than one “YouTube mp3 Downloader”), which requests no malicious permissions per addons.mozilla.org.

Today however a tab opened to addonbrowser dot com/youtube-mp3-download?v=3.0.0&type=install that was flagged by Avast as potentially harmful, advertising “Mp3 Downloader for Youtube.”

A new window also popped open to www.pc.error2323219459ausmsauthcombof0807 “dot” com.s3-website.us-east-2.amazonaws.com/assests/eng_ff_auth.html… with a “** YOUR COMPUTER HAS BEEN BLOCKED.**” message and an 877 number to call. It came with a repeating authentication popup “http://www.winsupporthelp “dot” club is requesting your username and password” that was impossible to dismiss without restarting FF.

This is very serious. A majority of so called “help” sites ask the unwary for access to their OS, and once given can do all manner of badness.

Have you done a full scan of your computer? It sounds like this may have less to do with any plugin and more to do with your computer being infected.

I’ve run scans with Malwarebytes and Avast. I’ve just changed my default browser to MS Edge (again) so I can be sure, and I’ll report back if Edge is opened. However, there’s no policy against extensions doing this:

1 Like

I disabled “YouTube mp3 Downloader” and haven’t seen an ad in a couple of days. I now see reviews for the addon that say: “tries to open scam pages and phishing pages” (2 days ago) and “…and it’s been opening ads in my browser. Deleted and ads are gone.” (13 days ago).

“YouTube mp3 Downloader” isn’t shown to use the “new tab” permission.

“YouTube mp3 Downloader” from author “YouTube Download Tool” appears to be the source of the malicious popup since it hasn’t appeared since I disabled that extension.