Feeds

back to article Firefox add-on with 7m downloads can invade privacy

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said. The undisclosed behavior of the Ant Video Downloader and Player add-on takes …

COMMENTS

This topic is closed for new posts.

Page:

Black Helicopters

Reality Check Network?

The same RCN who gave all their server logs to the FBI last October after a server hosting bittorrent trackers got hacked? Wonder if a "dun-dun-dunnnnn" is indicated.

In fact, with my tin-foil hat off for a minute, it's pretty obvious what this is. The ant.com page about their downloader mentions as a feature "Integrated Traffic Rank indicator for all the sites you visit", and this is very obviously a request-and-reply for the rank of El Reg. You come 4086th. They're presumably mining the data to help build up their search engine's traffic rankings database or something like that.

0
1
Thumb Down

however, if you google...

Type "ant video downloader" into google, however, and all looks hunky-dory ... nice ant.com site with "Download Now" buttons aplenty.

The only safe browsing is with a machine you completely wipe and then re-install after every session.... hmmm... wonder if virtualbox could be useful here! :)

0
1
Thumb Up

Or you could just use sandboxie...

"The only safe browsing is with a machine you completely wipe and then re-install after every session.... hmmm... wonder if virtualbox could be useful here! :)"

See title.

1
1
Silver badge
WTF?

err

or maybe dont install the extension?

7
1
Silver badge

or

you could use a liveCD...

0
0

Boo hoo

People using an extension to download videos which weren't intended to be downloaded, and they have the nerve to complain about THEIR rights being violated? I've got as much sympathy as for torrenters who complain that their downloads are full of viruses.

The extension appears to have been removed from the Mozilla site now, anyway.

0
26
FAIL

Relax

Tell me, when you view a streaming video are you downloading or not? When you load up youtube on your mob and then go on the tube how do you think the video is still playing? Obviously the video is meant to be watched or it would not be freely available on youtube..

6
1
Silver badge

Impressive.

""We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication," the spokeswoman wrote in an email. "While this does not violate our policies.... "

Well what the fuck WOULD "violate your policies"?

11
1
Anonymous Coward

Mm

Mozilla. Google. Apple. Microsoft. Adobe. Etcetera etcetera. Spot the biz you can trust.

3
1
Joke

ok.

That would be Etcetera etcetera.

1
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Anonymous Coward

Wow That Sucks

The only good thing is that Firefox is the only browser you might be able to escape tracking.(If you set it up right)(maybe). Every other browser you have a 100% chance of being tracked. Its crazy and while not all tracking is malicious, it still can fall into bad hands. IMO This year this tracking/advertising thing is going to blow up even more then it already has. I hope it gets to the point where some companies have to rethink their business plans before banking on tracking /advertising to bring in the money. If you do some research you will find how this concept of "personalized advertising" has been heavily invested in over the past 3 years so they are banking on this being here to stay. The problem is going to be when they have a way of tracking even when you think they can't. Its kind of hard to tell when you use phones and browsers made by an advertising company..

3
3
Silver badge
Pint

Escape tracking

You can escape tracking with any browser - just run it in a virtual machine that you blow away after each session. VMware player is free (-beer) as is any Linux-based browser application (containing Firefox, Chrome, Opera, ...). If it's IE you are after, MS probably expects you to pay for a second copy of Windows even if it's running inside your first copy.

What's hard is if you want to save state between sessions, but only state you approve of, and not the state that the rest of the world inflicts on you.

0
0

The title is required, and must contain letters and/or digits.

Well, at least Mozilla wasted no time removing this addon. Though I wonder how an addon like this could have been reviewed and approved by Mozilla without them noticing this.

4
3
Silver badge

@Martijn Otto

>I wonder how an addon like this could have been reviewed and approved

These things are sneaky, as are quite a few applications. They don't start to connect to base until a few days have passed or they've been started a few times. The developers who write these apps are well aware that people monitor network traffic when installing a new product so put in delays for this reason.

4
1
Flame

title

Mozilla did NOT remove it. I have just been to the add-on site, and stopped a download that was very wiling to take place. OK I did not try the current version, but an older one. I think our intrepid reporter just hit a speed-bump on the internet and presumed that it was the end of the highway.

Just for the elimination of doubt: Downloads of the add-on are still available.

2
1
Bronze badge

Suppose that this same app could be embedded as a payload for other apps...

Then, with the same delay, surretitious installation could simply be PUSHED to unsuspecting users who are not of the programmer savviness. If this stuff can be slipstreamed along wth an approved install, and somehow circumvents security checks (again, I'm not a programmer, but i ASSUME this is technically possible, probably having been performed against targets who are wary about their connect times and sites they visit...), then ANYbody who connects is at risk when downloading very large apps that will eclipse the footprint of such an intrusive app.

0
0
WTF?

IETAB

I still use firefox, but don't trust it after it came to light that a version of ietab contained spyware.

it was reported again and again, but was still up for download about a year later.

1
1
Silver badge

Who do ant thinke they are?

Sony?

3
1
Heart

fffff

i love firefox ,but my default browser is avant browser . firefox is really good ,however,avant browser is better than FF.its very low memory usage,very easy to customize(such disable javascipt,activex...),being able to block ads and pop-ups,by the way,i found that firefox 4.0 didn't release memory thoroughly when i use some time,it's boring...

0
4
Silver badge
Thumb Down

Ah, proper Spyware.

I wonder if they've done a deal yet with the official spies in the US?

4
1
Pirate

Opps!

I bet a few people have a nice little log sitting on the ANT server of all their porn viewing history, done while in private browser mode! :)

On the download page on the ant site it says;

"The ant.com add-on for Firefox can be downloaded from Mozilla's site. The source code is systematically reviewed by an independant Mozilla contributor before it is given to the public. It is the same process for every add-on. So you know our add-on is 100% safe. "

What a totally bunch of misleading scammers.

3
1
Alert

If you're with Vodafone

this is approximately what their network is doing to you.

Every URL you visit is being harvested, and divulged to Bluecoat in California.

Your consent is not sought, and you cannot 'opt in' (or out).

7
1
Thumb Down

And Vodafone don't pay UK TAX

2 good reasons not to use them

3
2
Anonymous Coward

Well....

they probably make a large contribution to Conservative Central, so they get to have some rewards ?

2
1

It's back

It's available again https://addons.mozilla.org/en-US/firefox/addon/video-downloader-player/

2
1
Thumb Down

updated privacy policy

Yes it's back and the behaviour persists, however it would appear that they have changed their privacy policy to explain that they collect 'unidentifiable' information such as the URL of sites you visit and your IP address.

I've offered a 'review' explaining all of this information. I doubt that it will be published.

Certainly not for me. Although I doubt I could make use of it. It seems a huge privacy price to pay for some meaningless traffic ranking.

3
1

Tor ?

Did you just throw Tor in there to look technical ? How the hell is a web browser meant to know you're running either an outbound port redirect, or that the proxy you told it to use is going to forward over Tor ?

In short, wtf.

1
3

Re: Tor?

I think the idea was to highlight that using TOR to browse anonymously would not help in this situation as all of your browsing history would still be logged by Ant Video.

The site you visited, such as youtube, wouldn't have access to your IP address as it would appear as the TOR exit node, but the fact you went to youtube, along with the date, time and your real IP, would still be sent to the addon makers.

5
1
Bronze badge

From the context...

From the context it was mentioned in, I think the point was that, the Ant.com identifier would persist even if you switch your browser to use Tor (or private browsing), thus linking your "private" browsing to your IP address. This kind of thing is why I always recommend using completely separate browser for anything you really care about keeping private.

0
0

The title is required, and must contain letters and/or digits.

"behavior ... takes place ... when the Firefox private browsing mode is turned on or when [using] Tor"

My point is: well, yes, *of course* because that's not the problem Tor solves. So why mention Tor ? Tor *could not help* here, as you say ! if you are using Tor, you should already know this. Right ? Right ?

0
0
WTF?

Tor Browser Bundle

Tor Browser Bundle has no add-ons, except Tor button & https-everywhere, last I checked when you start it up.

So what you say makes no sense.

Unless you install this add-on specifically inside the browser bundle.

0
0
Anonymous Coward

title

just block the ant.whatever address.

1
1
Grenade

Yet another trash company secretly spying

Tracking gits! Glad I don't use there secret tracking software disguised as something else! Hopefully people will trash their secret spy tracking software.

1
1
Anonymous Coward

Scary that it was only detected

because it makes zero effort to cover its tracks. It would have been easy to mildly encrypt the page url and the unique identifier (possibly by compressing them) and there would be nothing readable to see.

2
1
Anonymous Coward

Smartscreen built into IE does somthing similar

It' s on by default in IE8 and IE9 and there must be millions of people still using it.

http://windows.microsoft.com/en-GB/internet-explorer/products/ie-9/windows-internet-explorer-9-privacy-statement

When you use SmartScreen Filter to check websites automatically or manually, the address of the website you are visiting will be sent to Microsoft, together with standard computer information and the SmartScreen Filter version number. To help protect your privacy, the information sent to Microsoft is encrypted. Information that may be associated with the address, such as search terms or data you entered in forms might be included. For example, if you visited the Microsoft.com search website at http://search.microsoft.com and entered "Seattle" as the search term, the full address http://search.microsoft.com/results.aspx?q=Seattle&qsc0=0&FORM=QBMH1&mkt=en-US will be sent.

Address strings might unintentionally contain personal information, but this information, like the other information sent, is not used to identify, contact, or target advertising to you. In addition, Microsoft filters address strings to try to remove personal information where possible. When you use Internet Explorer to download a program, SmartScreen Filter will send the information above, along with information about the downloaded program, such as a file identifier (a “hash”), results from installed antivirus tools, and the program’s digital certificate information, if available.

Periodically, information about your usage of SmartScreen Filter will also be sent to Microsoft, such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web, such as name and file path, may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information, including web browser version, operating system version, SmartScreen Filter version, the browser language, the referring webpage, and information about whether Compatibility View was enabled for the website.

A unique identifier generated by Internet Explorer is also sent. The unique identifier is a randomly generated number that does not contain any personal information and is not used to identify you. This information, along with the information described above, is only used to analyze performance and improve the quality of our products and services.

2
1

http://www.ant.com/video-downloader

"This addon is secure : it was verified by Norton Safe Web and McAfee's Site Advisor . It contains no malware. "

Phew. That's all right then.

</sarcasm>

4
1
Silver badge

Time to update my blocked list...

...so nothing ever connects to their servers from home or work.

0
1

Server: thin 1.2.7 codename No Hup

Would that be like Hup Two Three Fo'?

0
1

We all have to get used to this

The commercial value of usage data is enormous. So the spooks can easily piggy back on that. Expect lots more pf the same.

0
0

Sounds like TACO all over again

Although this is slightly different, whereas TACO used to be trusted and slim, then got bought out and turned into bloatware. The way they got it past Mozilla that time was to have one of the Firefox add-on's board members in their back pocket.

I wouldn't be surprised if something similar happened here.

0
0

Like DivX

Checkout the DivX WebPlayer ActiveX Control for IE. Tries to connect to DivX's servers every page load, leaks tracking info though the headers, and doesn't use SSL, so one gets annoying mixed-content (secure/insecure) warnings on https sites. I think it might be beta.

0
0
Big Brother

It does more...

it's sending "heartbeat" notifications, install/uninstall etc.

Also, UUID is stored in extensions.antrankservice.uuid

0
0

Your privacy matters to us

We have addressed these comments and questions regarding our privacy policies on our website: http://www.ant.com/note_about_privacy

Thanks,

Ant.com team.

0
1
Bronze badge

@Camille.ant

Hello Ant.com team,

I'm a bit late to this party but I've looked at the Google cache of your addon's page on addons.mozilla.org and I see that your blurb links to the page you reference above. However, as that page proclaims itself to be in response to users' concerns, we can assume it's a recent addition. Can I ask, was your privacy policy linked next to the download button before these concerns were expressed to you? If not, was there any other mention of the addon's behaviour on that page?

I like to think that many of us can accept a bit of tracking with good grace as long as the motives are relatively benign, and my surface impression is that that's true of your ranking feature. I also applaud that you offer an opt-out. However, it's a different story if you have failed to be up-front about behaviour like this, as people have to know the opt-out is necessary in order to use it!

0
0

Privacy Policy have been available for a while

Hello Havin_it,

The privacy policy have been linked next to the "Download" button at Mozilla's add-on website for at least six monthes.

The contents of this privacy policy have not been updated recently, i.e. the privacy policy you can currently read at Mozilla's is what was available since January.

As stated in our "Note about privacy", we are currently working on the necessary improvements to both our add-on and our website to make privacy-relevant options very clear to our users. Those changes should roll-out "soon" (tm).

Ant.com team

0
1
Anonymous Coward

How can we combat this?

I don't know much about web security, but if the location where the UUD is stored (extensions.antrankservice.uuid) is known, then might it be easy enough to write a "scrambler" code that finds and randomly regenerates a new UUD every time the browser sends a HTTP request?

0
0
Pint

Well for those of a certain age...

"Why Don't You turn of your TV set, go outside and go do something less boring instead!"

( Jesus, I feel old now! )

1
2
Happy

How can we combat this? ...Answer

Tools/Add Ons... Uninstall.

0
0

Page:

This topic is closed for new posts.