back to article Firefox add-on with 7m downloads can invade privacy

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said. The undisclosed behavior of the Ant Video Downloader and Player add-on takes …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    Reality Check Network?

    The same RCN who gave all their server logs to the FBI last October after a server hosting bittorrent trackers got hacked? Wonder if a "dun-dun-dunnnnn" is indicated.

    In fact, with my tin-foil hat off for a minute, it's pretty obvious what this is. The ant.com page about their downloader mentions as a feature "Integrated Traffic Rank indicator for all the sites you visit", and this is very obviously a request-and-reply for the rank of El Reg. You come 4086th. They're presumably mining the data to help build up their search engine's traffic rankings database or something like that.

  2. Anonymous Coward
    Thumb Down

    however, if you google...

    Type "ant video downloader" into google, however, and all looks hunky-dory ... nice ant.com site with "Download Now" buttons aplenty.

    The only safe browsing is with a machine you completely wipe and then re-install after every session.... hmmm... wonder if virtualbox could be useful here! :)

    1. Anonymous Coward
      Thumb Up

      Or you could just use sandboxie...

      "The only safe browsing is with a machine you completely wipe and then re-install after every session.... hmmm... wonder if virtualbox could be useful here! :)"

      See title.

    2. Danny 14
      WTF?

      err

      or maybe dont install the extension?

    3. Oninoshiko

      or

      you could use a liveCD...

  3. Studley

    Boo hoo

    People using an extension to download videos which weren't intended to be downloaded, and they have the nerve to complain about THEIR rights being violated? I've got as much sympathy as for torrenters who complain that their downloads are full of viruses.

    The extension appears to have been removed from the Mozilla site now, anyway.

    1. Anonymous Coward
      FAIL

      Relax

      Tell me, when you view a streaming video are you downloading or not? When you load up youtube on your mob and then go on the tube how do you think the video is still playing? Obviously the video is meant to be watched or it would not be freely available on youtube..

  4. Anonymous Coward
    Anonymous Coward

    Wow That Sucks

    The only good thing is that Firefox is the only browser you might be able to escape tracking.(If you set it up right)(maybe). Every other browser you have a 100% chance of being tracked. Its crazy and while not all tracking is malicious, it still can fall into bad hands. IMO This year this tracking/advertising thing is going to blow up even more then it already has. I hope it gets to the point where some companies have to rethink their business plans before banking on tracking /advertising to bring in the money. If you do some research you will find how this concept of "personalized advertising" has been heavily invested in over the past 3 years so they are banking on this being here to stay. The problem is going to be when they have a way of tracking even when you think they can't. Its kind of hard to tell when you use phones and browsers made by an advertising company..

    1. Nigel 11
      Pint

      Escape tracking

      You can escape tracking with any browser - just run it in a virtual machine that you blow away after each session. VMware player is free (-beer) as is any Linux-based browser application (containing Firefox, Chrome, Opera, ...). If it's IE you are after, MS probably expects you to pay for a second copy of Windows even if it's running inside your first copy.

      What's hard is if you want to save state between sessions, but only state you approve of, and not the state that the rest of the world inflicts on you.

  5. Turtle

    Impressive.

    ""We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication," the spokeswoman wrote in an email. "While this does not violate our policies.... "

    Well what the fuck WOULD "violate your policies"?

    1. Anonymous Coward
      Anonymous Coward

      Mm

      Mozilla. Google. Apple. Microsoft. Adobe. Etcetera etcetera. Spot the biz you can trust.

      1. Anonymous Coward
        Joke

        ok.

        That would be Etcetera etcetera.

  6. ddddd
    Heart

    fffff

    i love firefox ,but my default browser is avant browser . firefox is really good ,however,avant browser is better than FF.its very low memory usage,very easy to customize(such disable javascipt,activex...),being able to block ads and pop-ups,by the way,i found that firefox 4.0 didn't release memory thoroughly when i use some time,it's boring...

  7. Anonymous Coward
    Anonymous Coward

    The title is required, and must contain letters and/or digits.

    Well, at least Mozilla wasted no time removing this addon. Though I wonder how an addon like this could have been reviewed and approved by Mozilla without them noticing this.

    1. Anonymous Coward
      Anonymous Coward

      @Martijn Otto

      >I wonder how an addon like this could have been reviewed and approved

      These things are sneaky, as are quite a few applications. They don't start to connect to base until a few days have passed or they've been started a few times. The developers who write these apps are well aware that people monitor network traffic when installing a new product so put in delays for this reason.

      1. dssf

        Suppose that this same app could be embedded as a payload for other apps...

        Then, with the same delay, surretitious installation could simply be PUSHED to unsuspecting users who are not of the programmer savviness. If this stuff can be slipstreamed along wth an approved install, and somehow circumvents security checks (again, I'm not a programmer, but i ASSUME this is technically possible, probably having been performed against targets who are wary about their connect times and sites they visit...), then ANYbody who connects is at risk when downloading very large apps that will eclipse the footprint of such an intrusive app.

    2. Anonymous Coward
      Flame

      title

      Mozilla did NOT remove it. I have just been to the add-on site, and stopped a download that was very wiling to take place. OK I did not try the current version, but an older one. I think our intrepid reporter just hit a speed-bump on the internet and presumed that it was the end of the highway.

      Just for the elimination of doubt: Downloads of the add-on are still available.

  8. Tom 7

    Who do ant thinke they are?

    Sony?

  9. karl 15
    WTF?

    IETAB

    I still use firefox, but don't trust it after it came to light that a version of ietab contained spyware.

    it was reported again and again, but was still up for download about a year later.

  10. Anonymous Coward
    Thumb Down

    Ah, proper Spyware.

    I wonder if they've done a deal yet with the official spies in the US?

  11. Anonymous Coward
    Pirate

    Opps!

    I bet a few people have a nice little log sitting on the ANT server of all their porn viewing history, done while in private browser mode! :)

    On the download page on the ant site it says;

    "The ant.com add-on for Firefox can be downloaded from Mozilla's site. The source code is systematically reviewed by an independant Mozilla contributor before it is given to the public. It is the same process for every add-on. So you know our add-on is 100% safe. "

    What a totally bunch of misleading scammers.

  12. dephormation.org.uk
    Alert

    If you're with Vodafone

    this is approximately what their network is doing to you.

    Every URL you visit is being harvested, and divulged to Bluecoat in California.

    Your consent is not sought, and you cannot 'opt in' (or out).

    1. Anonymous Coward
      Thumb Down

      And Vodafone don't pay UK TAX

      2 good reasons not to use them

      1. Anonymous Coward
        Anonymous Coward

        Well....

        they probably make a large contribution to Conservative Central, so they get to have some rewards ?

  13. Morcas

    It's back

    It's available again https://addons.mozilla.org/en-US/firefox/addon/video-downloader-player/

    1. ZootCadillac
      Thumb Down

      updated privacy policy

      Yes it's back and the behaviour persists, however it would appear that they have changed their privacy policy to explain that they collect 'unidentifiable' information such as the URL of sites you visit and your IP address.

      I've offered a 'review' explaining all of this information. I doubt that it will be published.

      Certainly not for me. Although I doubt I could make use of it. It seems a huge privacy price to pay for some meaningless traffic ranking.

  14. Tom Chiverton 1

    Tor ?

    Did you just throw Tor in there to look technical ? How the hell is a web browser meant to know you're running either an outbound port redirect, or that the proxy you told it to use is going to forward over Tor ?

    In short, wtf.

    1. Woodgar

      Re: Tor?

      I think the idea was to highlight that using TOR to browse anonymously would not help in this situation as all of your browsing history would still be logged by Ant Video.

      The site you visited, such as youtube, wouldn't have access to your IP address as it would appear as the TOR exit node, but the fact you went to youtube, along with the date, time and your real IP, would still be sent to the addon makers.

    2. Old Handle

      From the context...

      From the context it was mentioned in, I think the point was that, the Ant.com identifier would persist even if you switch your browser to use Tor (or private browsing), thus linking your "private" browsing to your IP address. This kind of thing is why I always recommend using completely separate browser for anything you really care about keeping private.

      1. Tom Chiverton 1

        The title is required, and must contain letters and/or digits.

        "behavior ... takes place ... when the Firefox private browsing mode is turned on or when [using] Tor"

        My point is: well, yes, *of course* because that's not the problem Tor solves. So why mention Tor ? Tor *could not help* here, as you say ! if you are using Tor, you should already know this. Right ? Right ?

      2. Anonymous Coward
        WTF?

        Tor Browser Bundle

        Tor Browser Bundle has no add-ons, except Tor button & https-everywhere, last I checked when you start it up.

        So what you say makes no sense.

        Unless you install this add-on specifically inside the browser bundle.

  15. Anonymous Coward
    Anonymous Coward

    title

    just block the ant.whatever address.

  16. Simon B
    Grenade

    Yet another trash company secretly spying

    Tracking gits! Glad I don't use there secret tracking software disguised as something else! Hopefully people will trash their secret spy tracking software.

  17. Anonymous Coward
    Anonymous Coward

    Scary that it was only detected

    because it makes zero effort to cover its tracks. It would have been easy to mildly encrypt the page url and the unique identifier (possibly by compressing them) and there would be nothing readable to see.

  18. Anonymous Coward
    Anonymous Coward

    Smartscreen built into IE does somthing similar

    It' s on by default in IE8 and IE9 and there must be millions of people still using it.

    http://windows.microsoft.com/en-GB/internet-explorer/products/ie-9/windows-internet-explorer-9-privacy-statement

    When you use SmartScreen Filter to check websites automatically or manually, the address of the website you are visiting will be sent to Microsoft, together with standard computer information and the SmartScreen Filter version number. To help protect your privacy, the information sent to Microsoft is encrypted. Information that may be associated with the address, such as search terms or data you entered in forms might be included. For example, if you visited the Microsoft.com search website at http://search.microsoft.com and entered "Seattle" as the search term, the full address http://search.microsoft.com/results.aspx?q=Seattle&qsc0=0&FORM=QBMH1&mkt=en-US will be sent.

    Address strings might unintentionally contain personal information, but this information, like the other information sent, is not used to identify, contact, or target advertising to you. In addition, Microsoft filters address strings to try to remove personal information where possible. When you use Internet Explorer to download a program, SmartScreen Filter will send the information above, along with information about the downloaded program, such as a file identifier (a “hash”), results from installed antivirus tools, and the program’s digital certificate information, if available.

    Periodically, information about your usage of SmartScreen Filter will also be sent to Microsoft, such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web, such as name and file path, may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information, including web browser version, operating system version, SmartScreen Filter version, the browser language, the referring webpage, and information about whether Compatibility View was enabled for the website.

    A unique identifier generated by Internet Explorer is also sent. The unique identifier is a randomly generated number that does not contain any personal information and is not used to identify you. This information, along with the information described above, is only used to analyze performance and improve the quality of our products and services.

  19. Tim Jenkins

    http://www.ant.com/video-downloader

    "This addon is secure : it was verified by Norton Safe Web and McAfee's Site Advisor . It contains no malware. "

    Phew. That's all right then.

    </sarcasm>

  20. Wize

    Time to update my blocked list...

    ...so nothing ever connects to their servers from home or work.

  21. Luther Blissett

    Server: thin 1.2.7 codename No Hup

    Would that be like Hup Two Three Fo'?

  22. Alan Firminger

    We all have to get used to this

    The commercial value of usage data is enormous. So the spooks can easily piggy back on that. Expect lots more pf the same.

  23. Sonny Jim

    Sounds like TACO all over again

    Although this is slightly different, whereas TACO used to be trusted and slim, then got bought out and turned into bloatware. The way they got it past Mozilla that time was to have one of the Firefox add-on's board members in their back pocket.

    I wouldn't be surprised if something similar happened here.

  24. The Reg-ular

    Like DivX

    Checkout the DivX WebPlayer ActiveX Control for IE. Tries to connect to DivX's servers every page load, leaks tracking info though the headers, and doesn't use SSL, so one gets annoying mixed-content (secure/insecure) warnings on https sites. I think it might be beta.

  25. Anonymous Coward
    Big Brother

    It does more...

    it's sending "heartbeat" notifications, install/uninstall etc.

    Also, UUID is stored in extensions.antrankservice.uuid

  26. Camille.ant

    Your privacy matters to us

    We have addressed these comments and questions regarding our privacy policies on our website: http://www.ant.com/note_about_privacy

    Thanks,

    Ant.com team.

    1. Havin_it

      @Camille.ant

      Hello Ant.com team,

      I'm a bit late to this party but I've looked at the Google cache of your addon's page on addons.mozilla.org and I see that your blurb links to the page you reference above. However, as that page proclaims itself to be in response to users' concerns, we can assume it's a recent addition. Can I ask, was your privacy policy linked next to the download button before these concerns were expressed to you? If not, was there any other mention of the addon's behaviour on that page?

      I like to think that many of us can accept a bit of tracking with good grace as long as the motives are relatively benign, and my surface impression is that that's true of your ranking feature. I also applaud that you offer an opt-out. However, it's a different story if you have failed to be up-front about behaviour like this, as people have to know the opt-out is necessary in order to use it!

      1. Camille.ant

        Privacy Policy have been available for a while

        Hello Havin_it,

        The privacy policy have been linked next to the "Download" button at Mozilla's add-on website for at least six monthes.

        The contents of this privacy policy have not been updated recently, i.e. the privacy policy you can currently read at Mozilla's is what was available since January.

        As stated in our "Note about privacy", we are currently working on the necessary improvements to both our add-on and our website to make privacy-relevant options very clear to our users. Those changes should roll-out "soon" (tm).

        Ant.com team

  27. Anonymous Coward
    Anonymous Coward

    How can we combat this?

    I don't know much about web security, but if the location where the UUD is stored (extensions.antrankservice.uuid) is known, then might it be easy enough to write a "scrambler" code that finds and randomly regenerates a new UUD every time the browser sends a HTTP request?

    1. Anonymous Coward
      Pint

      Well for those of a certain age...

      "Why Don't You turn of your TV set, go outside and go do something less boring instead!"

      ( Jesus, I feel old now! )

    2. dephormation.org.uk
      Happy

      How can we combat this? ...Answer

      Tools/Add Ons... Uninstall.

  28. Anonymous Coward
    Grenade

    Don't ya know?

    Firefox is DEAD and has sucked like a hoover for a very long time.

    Move on to just about any other browser and don't look back!

  29. david 63

    Perhaps...

    sudo iptables -A OUTPUT -d rpc.ant.com -j DROP

This topic is closed for new posts.

Other stories you might like