Yesterday Wladimir Palant, the creator of AdBlock Plus, reported that Mozilla removed four Firefox extensions made by Avast and its subsidiary AVG. Palant also found credible reports about the extensions harvesting user data and browsing histories.
The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons.
Avast and AVG extensions were caught in October
Mozilla removed the four extensions from its add-ons portal after receiving a report from Palant. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work — including detailed user browsing history, a practice prohibited by both Mozilla and Google.
He published a blog post on October 28, detailing his findings, but in a blog post dated today, he says he found the same behavior in the Avast and AVG SafePrice extensions as well. On his original blog post Mozilla did not intervene to take down the extensions. Palant reported about it again to Mozilla developers yesterday and they removed all four add-ons within 24 hours.
“The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks,” an Avast spokesperson told ZDNet. “It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user’s identification.”
“We have already implemented some of Mozilla’s new requirements and will release further updated versions that are fully compliant and transparent per the new requirements,” the Avast spokesperson said. “These will be available as usual on the Mozilla store in the near future.”
Extensions still available on Chrome browser
The four extensions are still available on the Chrome Web Store according to Palant.
“The only official way to report an extension here is the ‘report abuse’ link,” he writes. “I used that one of course, but previous experience shows that it never has any effect. “Extensions have only ever been removed from the Chrome Web Store after considerable news coverage,” he added.
On Hacker News, users discussed Avast extensions creepily trick browsers to inspect tls/ssl packets. One on the users commented, “Avast even does some browser trickery to then be able to inspect tls/ssl packets. Not sure how I noticed that on a windows machine, but the owner was glad to uninstall it. As said on other comments, the built-in windows 10 defender AV is the least evil software to have enabled for somewhat a protected endpoint.
The situation is desperate for AV publishers, they treat customers like sheep, the parallel with mafia ain’t too far possible to make.
It sorts of reminds me 20 years back when it was common discussion to have on how AV publishers first deployed a number of viruses to create a market.
The war for a decent form of cyber security and privacy is being lost. It’s getting worse every year. More money (billions) is poured into it. To no avail.
I think we got to seriously show the example and reject closed source solutions all together, stay away from centralized providers, question everything we consume. The crowd will eventually follow.”
Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2
Mozilla Thunderbird 78 will include OpenPGP support, expected to be released by Summer 2020
Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol