Someone published copies of my add-on on AMO

Hi

I just coincidentally discovered that someone has published a copy of my “xIFr” add-on, but calling it “EXIF Master Pro” instead.
Now, xIFr is open source, and people are free to fork it or play around with it. And I haven’t checked every line of code in this new extension, so I don’t know if there are any modifications or if it is an exact copy. Haven’t tried installing it either.

BUT the new add-on is published on AMO, and the new AMO-page stills says “xIFr” in “About this extension” and the homepage-link for the add-on points to my GitHub repository for xIFr. THAT makes me fell very uncomfortable.

I cannot see anywhere to report things like this. But maybe someone sees this and can take some kind of action?

/Stig

Still haven’t made a complete check for modifications (or tried to install it), but a glance in source code tells me that all references to “xIFr”, my name, my github repository, my personal homepage and my other extension (Flickr Fixr) looks to be intact in manifest file and on onboard-, upboard- and options-pages.

At first glance looks like a pretty exact copy of version 2.12 of xIFr (I deleted most old versions on AMO not so long time ago, but 2.12 is still available on github)

I found an amo-admin’s email address to contact, and I have received the following - I think very disappointing - response as an answer:

Hello,

Thank you for letting us know about the copied add-on. While we can review
the copy according to our policies,
https://extensionworkshop.com/documentation/publish/add-on-policies/ we
cannot evaluate other content like names and linked support sites etc as
part of that.

I recommend to file a copyright/trademark infringment report via
https://www.mozilla.org/en-US/about/legal/report-infringement/.

Best Regards,
The Mozilla Firefox Add-ons Admin Team

Really!? I need to “file a copyright/trademark infringment report” for this!?
Isn’t it really obviously a situation that not only I, but also AMO should be very very uncomfortable and unhappy with? The extension link to me as the responsible, contact and support for something I haven’t actually uploaded!?

Btw, if you go to the AMO-account profile for the uploader, the homepage-link on profile links to what looks like a travelagency page. I think we can ad spamming and/or “SEO” to the problems here…

I wonder if that’s a valid reason to “Report this user for abuse”

And now there’s two four copies uploaded by different accounts.

All appear to be pretty exact copies, though I haven’t checked them bit-by-bit. The first I discovered is named “EXIF Master Pro”, the others are “EXIF Explorer Pro”, “Image Data Master” and “Photo Data Viewer Pro”.
Maybe there’s even more I just haven’t discovered yet?

I haven’t gone through the trouble of making a formel DMCA. I’m not even sure about what exact requirements are needed to do that. Looks like a lot of work at least.

I just don’t understand it ain’t as much in Mozilla’s interest to stop this as it is mine.

It’s not exactly the “copyright” I really worry about. It is more the trust in AMO and my extensions here. And I would think it would be just as much Mozilla’s than my interest to stop this spamming. Not sure exactly what the purpose of the copies is. Maybe to sneak in some malware (haven’t had time to check if they are exact copies bit-by-bit)? Maybe it is only to plant links for SEO-optimization (Profiles of uploaders have “homepage-links” pointing to sites that make no sense in context).

Sigh…

PS. And no, I haven’t tried the “Report this user for abuse” either, as suggested by @hans_squared. Now I want Mozilla to acknowledge there’s a general problem, and they need to handle it proactively somehow. Some kind of “reality-check” when completely new extensions are posted?

https://addons.mozilla.org/en-US/firefox/search/?q=exif&sort=updated

• Image Insight Pro Max
• MetaView Max Pro
• Imago Meta Detect
• Meta Visio+
• Imago Meta View
• MetaXplorer
• Pic Meta Detect
• xMetaViewer
• Image Insights+
• MetaViewr

Wauw! That’s wild. I’ll write those AMO admins again. Thanks!

These Firefox extensions are clones of the imageinfo sample extension for Chrome:

• GetImageinfo pro plus
  (removed by Mozilla)
• GetImageinfo plus
  (removed by Mozilla)
• Gold Image info
  (still on AMO)

I’ll report the users and see what Mozilla does about them.

It seems all mentioned extensions has disappeared from search results now.
I haven’t kept any direct link to the found extensions, but the link to an account I previously posted in this thread, also is blind now. Hopefully permanently.
So something definitely happening now

But wonder if we only discovered the tip of an iceberg of problems?

Google still has links to the extensions, and the ones I’ve checked have been deleted.

Many, but not all, extensions with “Pro” in their name seem to be clones.

Clone: https://addons.mozilla.org/en-US/firefox/addon/manifest-tracker-pro/
Original: https://addons.mozilla.org/en-US/firefox/addon/hls-stream-detector/

These spammers just don’t give up:

Image Metadata Master Pro
MetaLens Master
DataLens Pro Max
EXIF Inspector Pro
MetaLens Pro
Photo Metadata Viewer

(I’m not linking to them, because that could somehow help the SEO spammers, at least until Mozilla removes the extensions)

Thanks @hans_squared.
I have mailed amo-admins again :-/

I notice the “Report this add-on” form/functionality has been updated with recent AMO update. Hopefully this will also result in more quick actions being taken going forward?..

7 new copies of xIFr has been posted on AMO since the clean-up in middle of November. And though I have been reporting them continuously as they was posted on AMO, none of them has been removed yet…

MetaView Pro, Image Metadata Master Pro, MetaLens Master, DataLens Pro Max, EXIF Inspector Pro, MetaLens Pro & Photo Metadata Viewer

But the new “Report this add-on” form/functionality makes it possible to make reports as your authenticated AMO-user. Before I believe it was always anonymously. Being authenticated might put a bit more weight behind claims like “copied MY extension”?.. It does of course also makes it possible for Mozilla to answer the reports in case needed.

But hopefully Mozilla also plans some more pro-active actions, to stop the spam extensions to be posted at AMO in the first place? Personally I’m for a fee when posting your first extension. It could be a small and symbolic fee, the most important thing is the extra step has to be done. Besides the extra trouble itself (and the cost) in the extra step, it would also make poster less anonymously?..

If anyone cares…

Did a bit deeper investigation into one of the “spam-copies”. So far I have assumed them being exact copies of xIFr 2.12.0, but never checked every single line in all the files.

But I found out how to create a little powershell script comparing every file in two unpacked extensions. And it turns out there are two differences between the tagged 2.12.0 release in my repository and the “spam-copy”. One is reformatting and insertion of an “id” in the manifest file. I believe that is done by AMO when uploading an extension, so to be expected. The other one, is the inclusion of a single little extra commit I did into my repository the day after I tagged and packed version 2.12.0.

So in conclusion, the spammer did not just take the 2.12.0 release-version that can be found tagged and packed in my repository. But have packed it manually (zipping content of a folder) from a snapshot of my repository in the period July 16th - August 16th.

So note to myself. Careful calling it exact copies of version 2.12.0. But it is still only code from my repository.

There are still no response on the reported 9 new copies I have found posted since first “cleanup” in the middle of November. I hope Mozilla is “just” busy, and it is not because they have any doubts if extensions should be deleted or not?

So after having checked every file in one of the spam-extensions (“ImageData Explorer”) and verifying it hadn’t been updated on AMO after I previously downloaded it, I finally dared installing it myself via AMO to see how it presents itself when installed. And sadly it not only presents itself as “xIFr” on the onboarding page I have made (I knew there was no changes to that),…

xIFr-clone2950×741 239 KB

but the extension was also presented as “xIFr” by the browser in prompts when installing,…

and after it has been installed, it presents itself as “xIFr” in the extension dropdown and on the “Manage Your Extensions” page. Not by the name it had on AMO…

xIFr-clone11054×777 536 KB

So chances are people quickly forget the name it had on AMO, and never discover they have installed an “unofficial” version of xIFr, which probably never will update (and if it does, probably not to anything good).

Really frustrating to have my name and homepage-links on it everywhere

xIFr-clone41061×1283 650 KB

Hey @stig, I’m sorry about the poor experience here. I don’t have anything to share at the moment, but I wanted to at least acknowledge from the Mozilla side that we’re aware of this thread and that I’m going to look into it from a developer experience point of view.

Thanks @dotproto.
The silence was frustrating. I needed some response, and a acknowledge of the problem from Mozilla . Wasn’t sure if Mozilla just saw me as hysterical developer complaining about innocent look-alike extensions.

I currently count 11 “xIFr clone” extensions:
PicData Analyzer, ImageMeta Master, ImageData Explorer, PicInspector Plus, MetaView Pro, Image Metadata Master Pro, MetaLens Master, DataLens Pro Max, EXIF Inspector Pro, MetaLens Pro, Photo Metadata Viewer

Thanks Mozilla, AMO admins, @dotproto or whoever finally removed all the reported “clone extensions”.

Just discovered a new “MetaMap Viewer Pro” which apparently was posted 5 days ago, but I haven’t discovered until now. But all the other 11 “clone extensions” I have reported since middle of November, are now gone.

That means a total of 25 clones of “xIFr” now has been removed from AMO.

It wasn’t me, but I’m glad to hear it! I should also say that your previous attempts to contact AMO reached the right folks. I think it’s mostly coincidence that action was taken shortly after I commented here.

@stig Unsure if this will keep being a problem for you, but if it does then you could consider rigging your original code to either not function correctly and/or show a warning popup whenever the extension id does not match yours, and remember to obfuscate it so it isn’t easy for them to track it in code. This way, whenever someone installs a blind copy of your original code from AMO the user will be either informed of the situation, or the extension will not work correctly, or both.