Wauw! That’s wild. I’ll write those AMO admins again. Thanks!
These Firefox extensions are clones of the imageinfo sample extension for Chrome:
- GetImageinfo pro plus
(removed by Mozilla) - GetImageinfo plus
(removed by Mozilla) - Gold Image info
(still on AMO)
I’ll report the users and see what Mozilla does about them.
1 Like
It seems all mentioned extensions has disappeared from search results now.
I haven’t kept any direct link to the found extensions, but the link to an account I previously posted in this thread, also is blind now. Hopefully permanently.
So something definitely happening now 
But wonder if we only discovered the tip of an iceberg of problems?
2 Likes
Google still has links to the extensions, and the ones I’ve checked have been deleted.
Many, but not all, extensions with “Pro” in their name seem to be clones.
Clone: https://addons.mozilla.org/en-US/firefox/addon/manifest-tracker-pro/
Original: https://addons.mozilla.org/en-US/firefox/addon/hls-stream-detector/
These spammers just don’t give up:
Image Metadata Master Pro
MetaLens Master
DataLens Pro Max
EXIF Inspector Pro
MetaLens Pro
Photo Metadata Viewer
(I’m not linking to them, because that could somehow help the SEO spammers, at least until Mozilla removes the extensions)
2 Likes
I notice the “Report this add-on” form/functionality has been updated with recent AMO update. Hopefully this will also result in more quick actions being taken going forward?..
7 new copies of xIFr has been posted on AMO since the clean-up in middle of November. And though I have been reporting them continuously as they was posted on AMO, none of them has been removed yet…
MetaView Pro, Image Metadata Master Pro, MetaLens Master, DataLens Pro Max, EXIF Inspector Pro, MetaLens Pro & Photo Metadata Viewer
But the new “Report this add-on” form/functionality makes it possible to make reports as your authenticated AMO-user. Before I believe it was always anonymously. Being authenticated might put a bit more weight behind claims like “copied MY extension”?.. It does of course also makes it possible for Mozilla to answer the reports in case needed.
But hopefully Mozilla also plans some more pro-active actions, to stop the spam extensions to be posted at AMO in the first place? Personally I’m for a fee when posting your first extension. It could be a small and symbolic fee, the most important thing is the extra step has to be done. Besides the extra trouble itself (and the cost) in the extra step, it would also make poster less anonymously?..
2 Likes
If anyone cares…
Did a bit deeper investigation into one of the “spam-copies”. So far I have assumed them being exact copies of xIFr 2.12.0, but never checked every single line in all the files.
But I found out how to create a little powershell script comparing every file in two unpacked extensions. And it turns out there are two differences between the tagged 2.12.0 release in my repository and the “spam-copy”. One is reformatting and insertion of an “id” in the manifest file. I believe that is done by AMO when uploading an extension, so to be expected. The other one, is the inclusion of a single little extra commit I did into my repository the day after I tagged and packed version 2.12.0.
So in conclusion, the spammer did not just take the 2.12.0 release-version that can be found tagged and packed in my repository. But have packed it manually (zipping content of a folder) from a snapshot of my repository in the period July 16th - August 16th.
So note to myself. Careful calling it exact copies of version 2.12.0. But it is still only code from my repository.
There are still no response on the reported 9 new copies I have found posted since first “cleanup” in the middle of November. I hope Mozilla is “just” busy, and it is not because they have any doubts if extensions should be deleted or not?
1 Like
So after having checked every file in one of the spam-extensions (“ImageData Explorer”) and verifying it hadn’t been updated on AMO after I previously downloaded it, I finally dared installing it myself via AMO to see how it presents itself when installed. And sadly it not only presents itself as “xIFr” on the onboarding page I have made (I knew there was no changes to that),…
but the extension was also presented as “xIFr” by the browser in prompts when installing,…
and after it has been installed, it presents itself as “xIFr” in the extension dropdown and on the “Manage Your Extensions” page. Not by the name it had on AMO…
So chances are people quickly forget the name it had on AMO, and never discover they have installed an “unofficial” version of xIFr, which probably never will update (and if it does, probably not to anything good).
Really frustrating to have my name and homepage-links on it everywhere 
2 Likes
Hey @stig, I’m sorry about the poor experience here. I don’t have anything to share at the moment, but I wanted to at least acknowledge from the Mozilla side that we’re aware of this thread and that I’m going to look into it from a developer experience point of view.
1 Like
Thanks @dotproto.
The silence was frustrating. I needed some response, and a acknowledge of the problem from Mozilla . Wasn’t sure if Mozilla just saw me as hysterical developer complaining about innocent look-alike extensions.
I currently count 11 “xIFr clone” extensions:
PicData Analyzer, ImageMeta Master, ImageData Explorer, PicInspector Plus, MetaView Pro, Image Metadata Master Pro, MetaLens Master, DataLens Pro Max, EXIF Inspector Pro, MetaLens Pro, Photo Metadata Viewer
1 Like
Thanks Mozilla, AMO admins, @dotproto or whoever finally removed all the reported “clone extensions”.
Just discovered a new “MetaMap Viewer Pro” which apparently was posted 5 days ago, but I haven’t discovered until now. But all the other 11 “clone extensions” I have reported since middle of November, are now gone.
That means a total of 25 clones of “xIFr” now has been removed from AMO.
2 Likes
It wasn’t me, but I’m glad to hear it! I should also say that your previous attempts to contact AMO reached the right folks. I think it’s mostly coincidence that action was taken shortly after I commented here.
@stig Unsure if this will keep being a problem for you, but if it does then you could consider rigging your original code to either not function correctly and/or show a warning popup whenever the extension id does not match yours, and remember to obfuscate it so it isn’t easy for them to track it in code. This way, whenever someone installs a blind copy of your original code from AMO the user will be either informed of the situation, or the extension will not work correctly, or both.
3 Likes
@Particle, very interesting idea.
First of all, I wish you gave me that tip half a year ago 
But it got me thinking…
I’m not sure it would be a good idea to obfuscate any code, that would also mean trouble for me when submitting new versions to AMO.
The questions is, should I try to make it difficult for the spammer, or should I make it easy for users to discover they have an unofficial version?
Even though the spammer hasn’t changed anything in copies I have checked, the spammer knows Git good enough to import my repository and zip content of a folder (it’s a snapshot of code in-between two official releases). So I will assume spammer has some coding experience too. Will the spammer just jump to another extension if I put a simple “integrity check” on extension’s onboarding page? There’s a good chance I guess, but if not I will always be one step behind if he starts modifying my code.
If I focus on users only, I’m thinking about not making the “integrity check” immediately. Maybe wait until a day or two after install, and hope that spammer never discovers the check, and thus never look for a way to remove it?
But of course, nothing here helps fighting the current spammer, unless he gets the idea of taking a newer snapshot, instead of just continuing using the same as he does currently …
Yes, I’m just thinking out loud here. Comments and ideas are welcome (and I hope spammer doesn’t follow this thread )
1 Like
You could also check details.temporary in the runtime.onInstalled listener.
Spammers probably won’t install their clone extensions from AMO to see if they really work.
Or combine this with your method.
edit:
LoL, I’ve just gone on a reporting spree.
But AMO doesn’t let me report any more clone SEO spam add-ons:
“This request was throttled. Expected available in 84015 seconds.”
= 1400.25 minutes = 23 hours and 20.25 minutes
Mozilla, please don’t be mad at me
2 Likes
Does anybody know if there is a way for an extension to make a link to the AMO-page it was installed from?
I tried using the extension-id as search-input on AMO, but that didn’t work…
If the extension ID is: “{914110ae-a286-4f40-abe3-fb421f459994}”
then the AMO page is: https://addons.mozilla.org/addon/{914110ae-a286-4f40-abe3-fb421f459994}
(using a recent clone extension as an example)
2 Likes
Ah, so simple I should have guessed - Thanks.
The AMO-name of the extension is not known by the extension itself, nor seems to be shown by the browser anywhere. So it can be difficult for an ordinary user to find out where it was installed from (the only way I have found in browser, is to follow link to reviews from extension manage details page - not very intuitive or easy to find). But now I can point directly to the install-page 
Sorry, I am afraid I can’t provide you with a definite answer. Obfuscation does not necessarily mean the text has to be garbled, the code itself can be dynamic, not fit a specific pattern (function offuscate(), function ObfUsct(), const ofsct = function(), etc), move the code up and down in the source code and fragment it, and so on. It was simply a suggestion in case you might face the same situation again, which I hope it does not happen.
Another idea would be to make bait releases in your repo only and you don’t release them on AMO, so essentially the copycats would blindly grab that version and uploaded it to the store and any users would get a warning or something informing them that they are using a fake version and to make sure that any installs are made from - and you provide the only official link to your extension.
But if you also do releases to the public in your repo (users actually install directly from your repo releases) you’d have to make sure they wouldn’t be served with that version either, otherwise that idea wouldn’t be a viable strategy.