funsec mailing list archives
Re: FlashGot Firefox plugin, now spyware
From: Daniel Veditz <dveditz () cruzio com>
Date: Tue, 16 Feb 2010 14:00:43 -0800
Gadi Evron wrote:
On 2/16/10 6:29 PM, Reed Loden wrote:On Tue, 16 Feb 2010 11:47:48 +0200 Gadi Evron<ge () linuxbox org> wrote:Just to make sure we have the same terminology, as a friend of mine disagrees: 1. It adds content to web pages I visit (so far just Google) by suggesting tweaked searches, possibly (unconfirmed) by sending data about my searches, which would make it spyware. 2. When I click these suggested better searches for what I was looking, it sends me off to a different search engine, which I define as adware.
If the data sent off is integral to providing the ads then it's still "adware" in my book, but the line there is a little grey.
By letter of the law or not, this *Feels* wrong. So I am hopeful Mozilla will do something about it. However, I can't really blame them if they can't. I am unsure that an AUP *anywhere* currently covers that "apps" can provide only with features users agree to, or that they should need to notify of a major change in functionality. It's certainly a very interesting question. The good old comp.virus FAQ defines a Trojan horse as functionality which if the user knew what it did, he or she wouldn't be happy about it. In reverse, this fits quite well.
AMO has a "No surprises" policy. This was an unwelcome surprise. http://blog.mozilla.com/addons/2009/05/01/no-surprises/ https://addons.mozilla.org/en-US/developers/docs/policies/reviews#section-defaults There's no ban on ad-supported extensions, but unless the main announced purpose is to serve ads then it had better be clear it does so. And if it needs to share data with a 3rd party server (whether for ads or for the normal functioning of the add-on) then it has to have a privacy policy and explain what it's doing. And making such changes on an upgrade is supposed to require user opt-in.
Let's see what happens.
The new version of FlashGot has been taken off the site and we're working with the author on making an upgrade that meets the site's guidelines. -Daniel Veditz Mozilla Security Team _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- FlashGot Firefox plugin, now spyware Gadi Evron (Feb 15)
- Re: FlashGot Firefox plugin, now spyware Reed Loden (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Gadi Evron (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Reed Loden (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Gadi Evron (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Reed Loden (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Gadi Evron (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Daniel Veditz (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Gadi Evron (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Gadi Evron (Feb 16)
- Re: FlashGot Firefox plugin, now spyware Reed Loden (Feb 16)