forked from cotes2020/jekyll-theme-chirpy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create 2023-09-01-Investigating-Firefox.md
- Loading branch information
1 parent
510f664
commit c453e35
Showing
1 changed file
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
title: Investigating “Recommended Extensions” in Firefox | ||
date: 2023-09-01 12:00:00 +0800 | ||
categories: [Browser] | ||
tags: [firefox, privacy] # TAG names should always be lowercase | ||
toc: true | ||
math: true | ||
--- | ||
# Introduction | ||
|
||
Recently, investigations of Google Chrome extensions have uncovered malware, spyware and adware in dozens of popular extensions used by millions of users.[^footnote] Although there was considerable criticism of Google’s review process for these extensions, I did not observe much curiosity directed towards the state of Firefox extensions. As a devout Firefox user, albeit one who only uses open-source extensions, I was inspired by a comment on YCombinator (Hacker News) by Krono to look into some popular extensions to compare Mozilla against Google.[^footnote2] | ||
|
||
# Recommended Extensions | ||
Mozilla’s “Recommended Extensions” program claims to certify that select extensions have the “highest standards of security, functionality, and user experience” which is done by “thoroughly evaluat[ing] each extension”.[^footnote3] Furthermore, they must abide by the extension standards, which you can read [here](https://extensionworkshop.com/documentation/publish/add-on-policies/), but in summary, extensions must: | ||
1. Not have remote code; | ||
2. Not use Google Analytics JavaScript, only the API; | ||
3. Only collect relevant data to function; | ||
4. Provide a privacy policy and ability to opt-out of data collection; | ||
5. Must be actively maintained (recommended extensions only). | ||
|
||
Seems fair, right? Well, a quick look into some of Mozilla’s “Recommended Extensions” finds that many extensions are not following these rules, and that Mozilla has failed to catch these violations. Lets take a look at some examples. | ||
|
||
# Giphy [Version 3.1] – 7,000 users https://github.com/ColoursofOSINT/extensions-investigation/blob/main/Giphy.md | ||
|
||
This extension – produced by giphy.com – is used to load GIFs which can be sent in “emails, tweets and more”.[^footnote4] Users can search for a GIF and then drag and drop it into the message. Despite not being updated since 2021, it is still a recommended extension. Furthermore, although it has no privacy policy, which suggests that the extension author does not collect analytics, the extension includes an analytics.ts file, which when decompiled, yields: | ||
|
||
``` | ||
;(function(i, s, o, g, r, a, m) { | ||
i['GoogleAnalyticsObject'] = r; | ||
i[r] = i[r] || function() { | ||
(i[r].q = i[r].q || []).push(arguments); | ||
}; | ||
i[r].l = 1 * new Date(); | ||
a = s.createElement(o); | ||
m = s.getElementsByTagName(o)[0]; | ||
a.async = 1; | ||
a.src = g; | ||
m.parentNode.insertBefore(a, m); | ||
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga'); | ||
``` | ||
|
||
This loads an analytics javascript, which can collect the IP Addresses, user agents, page views, user engagement (time spent/website, interactions,) events (button clicks, video views) and referral sources of users. | ||
|
||
[^footnote]: https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/ | ||
[^footnote2]: https://news.ycombinator.com/item?id=37137552 | ||
[^footnote3]: https://extensionworkshop.com/documentation/publish/recommended-extensions/ | ||
[^footnote4]: https://addons.mozilla.org/en-US/firefox/addon/giphy-for-firefox/ |