Firefox add-ons "more difficult" to hijack than Chrome
By Shona Ghosh
Posted on 21 Jan 2014 at 10:34
Mozilla has claimed it's difficult to hijack Firefox browser add-ons to serve ads, after Google was forced to pull two Chrome extensions that began spamming users.
Google removed the "Add to Feedly" and "Tweet this Page" extensions from the Chrome web store this week, after they were bought by third parties and quietly updated to inject ads into web pages.
But Mozilla said it was more difficult to introduce silent updates for Firefox add-ons than it appears to be for Chrome extensions.
"For add-ons hosted on addons.mozilla.org, all version updates are code reviewed and tested by a member of our review team, and it needs to pass all of our review policies to be pushed to users via auto-update," a Mozilla spokesperson said. "One such policy is that all unexpected changes, such as advertising, needs to be explicitly opt-in."
"This all makes it more difficult for this kind of hijacking to be effective for add-ons listed on Mozilla Add-ons," she added.
The issue has reportedly affected Firefox, however. An investigation by tech site Ghacks found at least one extension, AutoCopy, had been bought by a company called Wips, which then introduced ads through an update - slipping past Mozilla's review processes.
Mozilla wasn't aware of the AutoCopy issue until contacted by PC Pro. The company said its team had tested the current version of AutoCopy and had, in fact, rejected a more intrusive update.
"Version 1.0.8 of AutoCopy is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic," the company said.
"After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and is what the majority of users have installed," the spokesperson added.
The problem appears to be widespread. Several independent developers have revealed how they were approached by third parties and offered large sums for their popular Chrome extensions.
"Add to Feedly" developer Amit Agarwal revealed he had been offered a "four-figure" sum to sell his extension to a mysterious third party. After agreeing to a deal, he then found the new owner had hijacked the extension to start serving ads.
The problem is partially down to loopholes with permissions and Chrome's auto-update feature. Currently, Chrome extensions require the user's permission for certain features, such as accessing their data. Provided that permission is given when the extension is installed, a developer or new owner can push out new updates that insert ads into web pages without asking for that permission again.
PC Pro understands that Google is on the alert for new malicious extensions and is in the process of reviewing its web store policies.
Update: This article was updated on 22 January with Mozilla's statement on AutoCopy.
Is your business a social business? For helpful info and tips visit our hub.
- Hello Cortana, it's nice to meet you
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords