Skip to navigation
Latest News

Firefox add-ons "more difficult" to hijack than Chrome

Firefox

By Shona Ghosh

Posted on 21 Jan 2014 at 10:34

Mozilla has claimed it's difficult to hijack Firefox browser add-ons to serve ads, after Google was forced to pull two Chrome extensions that began spamming users.

Google removed the "Add to Feedly" and "Tweet this Page" extensions from the Chrome web store this week, after they were bought by third parties and quietly updated to inject ads into web pages.

But Mozilla said it was more difficult to introduce silent updates for Firefox add-ons than it appears to be for Chrome extensions.

"For add-ons hosted on addons.mozilla.org, all version updates are code reviewed and tested by a member of our review team, and it needs to pass all of our review policies to be pushed to users via auto-update," a Mozilla spokesperson said. "One such policy is that all unexpected changes, such as advertising, needs to be explicitly opt-in."

"This all makes it more difficult for this kind of hijacking to be effective for add-ons listed on Mozilla Add-ons," she added.

The issue has reportedly affected Firefox, however. An investigation by tech site Ghacks found at least one extension, AutoCopy, had been bought by a company called Wips, which then introduced ads through an update - slipping past Mozilla's review processes.

Mozilla wasn't aware of the AutoCopy issue until contacted by PC Pro. The company said its team had tested the current version of AutoCopy and had, in fact, rejected a more intrusive update.

"Version 1.0.8 of AutoCopy is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic," the company said.

"After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and is what the majority of users have installed," the spokesperson added.

Auto-update

The problem appears to be widespread. Several independent developers have revealed how they were approached by third parties and offered large sums for their popular Chrome extensions.

"Add to Feedly" developer Amit Agarwal revealed he had been offered a "four-figure" sum to sell his extension to a mysterious third party. After agreeing to a deal, he then found the new owner had hijacked the extension to start serving ads.

The problem is partially down to loopholes with permissions and Chrome's auto-update feature. Currently, Chrome extensions require the user's permission for certain features, such as accessing their data. Provided that permission is given when the extension is installed, a developer or new owner can push out new updates that insert ads into web pages without asking for that permission again.

PC Pro understands that Google is on the alert for new malicious extensions and is in the process of reviewing its web store policies.

Update: This article was updated on 22 January with Mozilla's statement on AutoCopy.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
Be the first to comment this article

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.