Re: FlashGot Firefox plugin, now spyware

[Daniel Veditz <dveditz () cruzio com>]

Gadi Evron wrote:
> On 2/16/10 6:29 PM, Reed Loden wrote:
> > On Tue, 16 Feb 2010 11:47:48 +0200
> > Gadi Evron<ge () linuxbox org>  wrote:
> >
> > > Just to make sure we have the same terminology, as a friend of mine
> > > disagrees:
> > > 1. It adds content to web pages I visit (so far just Google) by
> > > suggesting tweaked searches, possibly (unconfirmed) by sending data
> > > about my searches, which would make it spyware.
> > > 2. When I click these suggested better searches for what I was looking,
> > > it sends me off to a different search engine, which I define as adware.

If the data sent off is integral to providing the ads then it's still
"adware" in my book, but the line there is a little grey.

> By letter of the law or not, this *Feels* wrong. So I am hopeful Mozilla 
> will do something about it. However, I can't really blame them if they 
> can't.
>
> I am unsure that an AUP *anywhere* currently covers that "apps" can 
> provide only with features users agree to, or that they should need to 
> notify of a major change in functionality.
>
> It's certainly a very interesting question.
>
> The good old comp.virus FAQ defines a Trojan horse as functionality 
> which if the user knew what it did, he or she wouldn't be happy about 
> it. In reverse, this fits quite well.

AMO has a "No surprises" policy. This was an unwelcome surprise.
http://blog.mozilla.com/addons/2009/05/01/no-surprises/
https://addons.mozilla.org/en-US/developers/docs/policies/reviews#section-defaults

There's no ban on ad-supported extensions, but unless the main announced
purpose is to serve ads then it had better be clear it does so. And if it
needs to share data with a 3rd party server (whether for ads or for the
normal functioning of the add-on) then it has to have a privacy policy and
 explain what it's doing. And making such changes on an upgrade is supposed
to require user opt-in.

> Let's see what happens.

The new version of FlashGot has been taken off the site and we're working
with the author on making an upgrade that meets the site's guidelines.

-Daniel Veditz
Mozilla Security Team
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.