21
votes
Firefox just installed two addons into my browser without consent... again
Here is what just happened to me:
Firefox installed two addons - fxmonitor@mozilla.org.xpi and telemetry-coverage-bug1487578@mozilla.org into my browser silently, even though I've explicitly turned all the telemetry off.
This have happened before, and Mozilla apologized for it, however it seems that they learned nothing and are willing to do so again.
There goes the last scrap of my trust into Firefox. I suggest you check your browsers too.
Yep. It appears you're correct. Sources:
Firefox Monitor:
https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/
Have I Been Pwned API integration:
https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/
Telemetry on/off check:
https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
I get where they're coming from, but that really sounds like
And I can see where that might be taken negatively, even if it's pretty small in the grand scheme of things.
Yeah, it's effectively backdoor telemetry (just one query and hopefully non-repeating, but even still). so I can see why some people might be upset by it. However I suspect this is one of those "better to beg forgiveness" situations where if they had had to ask all their users for permission to query the telemetry status it wouldn't have netted them a complete or even remotely accurate view of what % of users actually have it disabled.
True, but as usual, for those users who get concerned, they added a config value.
Create
toolkit.telemetry.coverage.opt-outas a boolean, with a value oftrue.For users who get concerned I recommend this: https://github.com/ghacksuserjs/ghacks-user.js/
It's a template user.js file for Firefox you can customize to disable all telemetry options, even those hidden from the UI. It also includes other useful settings for security and privacy.
More information from the bugzilla entry, on Telemetry Coverage.
They don't handle these things well. I don't think anybody in their right mind thinks that Mozilla is after their users' private data, but the way they do these things gives out an image of sloppines.
Also, I want my browser like my Emacs: it should not communicate with anybody unless I openly ask it to do so. That needs not be malicious behaviour, but still that's rather insecure, IMHO. But admittedly I don't know much about security.
You could always go straight to the source and use emacs as your browser!
I do :) Well, kind of. When I click a link in Emacs, it asks me "Browse with EWW? (y or n)". If I answer
n, it opens it in Firefox. Ify, it opens it in EWW. But before all this, when I follow a link, my browse-url function matches the URL against a set of regexps and may do something else instead of asking the above question: if it's a github link which has a diff, it downloads it as a tmp folder and opens it in diff mode. If it's from the Github raw url, it's downloaded to /tmp and opened in the appropriate mdoe. If it's a youtube link, it opens it with mpv. If it's a PDF, an Elisp file, or an image, or some other file I've added a function for (I have a macro for this) it's again downloaded in the /tmp folder and opened with the appropriate emacs mode. This may seem like an overkill, but it's quite useful, as I read my feeds and emails in Emacs, I click lots of links within it, and this sort of setup skips many middle steps. These days I don't use EWW all that much. But when programming I try to use it as much as I practically can for looking up online documentation and divine intervention (i.e. StackExchange stuff). You can check out how that work here.I guess this comment (mine, not the one I'm responding to) should be tagged off-topic.
I agree, I don't think that Mozilla did what they've done in bad faith, but I also don't want this kind of stuff to happen to my browser.
I don't think that it's an overreaction, especially with a drastic change of attitude that Mozilla seemingly made after the Looking Glass fiasco. They've made the exact same thing again, but this time this wasn't even an opt-in, and it wasn't even mentioned by browser - data collection, silent, without concent, purposely hidden. I think it should tell something when first a corporation feels like it has to apologize for having a silently installed addon that asks if it could start working, and then pushed another two addons that are hidden and ready to send data the moment they are installed. I don't think that this qualifies as transparent, and I also don't think that any company that tells us that it cares about privacy should pull stuff like this on its users. The fact that they can push any addon to your browser at any time is bad enough, but it could only be made worse if its used twice for data collection already.
For those of you who don't know, I'm a Mozilla employee.
Disclaimer: I have opinions on the "telemetry coverage" topic. No, I am not going to share them. No, I do not have the authority, nor the influence, to change how this is being done, so please save your breath.
Having said that, I do see some misinformation being spread in this thread that I'd like to clear up. To do so, I'm going to have to give a bit of background on the architecture of Firefox, as well as how updates work:
Firefox Architecture
(This is not 100% correct, but is "correct enough" for the purposes of this discussion.)
What we refer to as "Firefox" consists of two layers: the lower layer is binary machine code, while the upper layer is interpreted code (HTML, CSS, JavaScript, and some other non-standard stuff). The lower level is only updated when we bump version numbers. The upper layer can be updated dynamically, however.
Now that you know this, here are two types of dynamic updates that Mozilla pushes out to Firefox:
System (aka "Go Faster") add-ons
It takes a lot of work to cut a new set of Firefox binaries from a particular revision in our source tree, for the purposes of deploying to release. Dot-releases (aka "Chemspills" in Mozilla parlance) for serious issues often take place at shitty times, and our release managers and QA people get roped into pulling all-nighters or working weekends to get those builds ready to push out ASAP. Because of the amount of work involved, we don't like to push out dot releases unless there is a serious issue that needs to be fixed.
We eventually concluded that there are some parts of the Firefox product that can be updated incrementally and out of band (namely, the upper layer of interpreted code that I mentioned previously) from the normal six week cadence of browser releases. This allows us to push out new features, enable/disable features, and in general do any kind of maintenance or update that falls outside the scope of requiring new binaries.
These updates are called "system add-ons," but they really should be thought of as mid-release-cycle updates to the browser. Perhaps use of the term "add-ons" was poor naming, because they really are components that provide dynamic updates to that upper layer of Firefox code. They really should be considered to be part of the browser.
Hypothetical scenario: Let's say that a feature that we rolled out on release day is interacting badly with antivirus software and nobody saw it coming during beta (yes, this happens ALL THE TIME). Back in the day, we would have had to cut a chemspill release to disable that feature. Now, we can simply push out a system addon that flips the pref to disable that problematic feature. We can deliver that fix faster (and thus affect fewer users) and with less effort by using a system addon than if we had to go through the whole rigamarole of a chemspill release.
SHIELD studies.
Shield studies are essentially a subset of system addons that are specifically devoted to A/B tests. Like most other modern, data-driven, large-scale software, small percentages of the release population are selected to test prototypes of new features. These studies can be disabled in the "Privacy & Security" section of preferences via the "Allow Nightly to install and run studies" checkbox.
The Mr. Robot / Looking Glass debacle and the aforementioned apology
The TL;DR of this was that Mozilla had been doing cross-promotion with the Mr. Robot TV show. Our marketing team decided to pull a stunt where, during the season 3 finale, they deployed a Mr. Robot game into Firefox (that remained inert unless explicitly enabled by the user) called "Looking Glass." Looking Glass was deployed using SHIELD, which was obviously above and beyond the intended use case for SHIELD. Many users were upset, and frankly most Mozillians were too. There was not enough process in place to prevent our update technologies from being abused.
The apology was about misusing the SHIELD platform to deliver content that had nothing to do with A/B tests. It is not correct to interpret that apology as, "we will never push out dynamic updates to Firefox ever again."
I was hoping you would pop in here and clear things up for everyone... I was even tempted to @ mention you earlier but didn't want to pressure you in to responding, especially if you didn't want to get involved in the issue at all. Thanks for the detailed synopsis. :)
Thanks for not pressuring me, I really appreciate it. I was originally going to stay out of this but I changed my mind when I saw that the record needed correcting.
Wow, thanks for the incredibly detailed write-up! The solution to this problem seems simple: why not rename "system add-ons" to "rolling updates" or something similar? I realize you have little power to change these things, but has there been any discussion around this?
Also, a tad off-topic, but what kind of work do you do at Mozilla? What do you enjoy most?
I agree. We actually had a discussion on our internal Slack about this on Friday evening, but whether anybody will actually do anything about that, I don't know.
I am a lead software engineer working on the "Content Isolation and Platform Integration" team: Mozilla-speak for sandboxing and other stuff that deals with code specific to our supported desktop platforms.
For better or worse, I am considered to be the "Windows guy," so I deal with a lot of esoteric low-level Windows stuff that nobody else knows how to do. Right now I'm working on stopping third parties from injecting their DLLs into our processes.
So apparently it's their push to collect data on how many people are using Firefox with telemetry off. I just want to stress their apology after the LookingGlass incident:
Yes, I agree that it is different - the Looking Glass addon had to ask for your permission before working. These ones don't.
No they were not open about that, since I've only stumbled across these by accident. I suggest you think this over - two data-collection addons were installed silently in the background on a privacy-oriented browser. And they do the exact thing that the browser had been told not to do - send telemetry to Mozilla about your telemetry status. And, of course along with this data useragent, ip address and other stuff is leaked as soon as the request is made to Mozilla servers.
Yes I have, all Linux installations that are installed via package manager have update checking disabled, and they are updated via the package manager and built on my distro servers.
Welp, I am the 1% now
I wouldn't - that would be honest and transparent, exactly as Mozilla wants to appear and I trusted it to be.
This is content of the ping that Telemetry Coverage fires off:
(As well as a generated UUID, as ingesting data requires that).
Now, this is admittedly more than just telemetryEnabled, and there has been some concern raised about that by the developer lead, though they did sign off for now.
The addon is also over at Mozilla's one-off repository, which is the reason it hasn't asked for an install.
A one-off, is a backported update. That is, the addon disappears at your next update, but the featureset remains as a part of the browser.
If you don't want to use it, then create the key:
toolkit.telemetry.coverage.opt-outas a boolean, with a value oftrue, and the ping will never happen.Too late for that, the data had already been collected.
Had it? It installed for everyone, but only runs for 1% of users.
Found on looking glass extension reviews page, 9 months ago:
Emphasis mine
I agree that this is a much smaller issue than the Looking Glass debacle, but it still leaves a pretty sour taste in my mouth when I think of people who have explicitly opted out of any telemetry, by whatever means they choose, being quietly fed yet another piece of tracking software via a browser and organization that we all really, really want to be able to trust completely.
It's not a big deal by itself, but it feels ill-considered and in poor taste, particularly coming after the different but not entirely un-related Looking Glass.
For myself, I opt in to using Nightly and all the various studies and telemetry, because I'm a developer myself and am interested in supporting the project and keeping an eye on how things are going, so this doesn't effect me directly. However I do care deeply about privacy and control, and when someone tells Mozilla that they don't wish to participate in any telemetry, I expect Mozilla to take that pretty seriously, and not just deploy more telemetry to follow up.
It's just kind of disappointing.
How does it even relate? Looking Glass was scary (i.e. looked like malware), immediately user visible, and served no purpose. These don't look like malware, require you to view them in about:debugging, and have obvious purposes.
Them being visible in about:debugging is an intentional choice to keep things transparent. They could have easily hidden them, like everything else with an auto-updater does.
Exactly! It was scary and looked like malware because it had been installed through a backdoor in your browser without your concent, but at least you could see what is happening. Hiding this activity is not transparency, it's secrecy.
It's exactly the opposite, only developers that are making addons at that moment ever visit that page, there is no reasonable expectation for a regular user to check that page regularly. And at this time when I'm writing this comment the addon in question is gone. So effectively Mozilla just installed an addon, snatched the data and then removed it to hide its tracks. Transparency would be at least a popup telling me that they are about to collect my data, or better yet, don't install anything into my browser behind my back without ever asking me about it.
I meant Looking Glass itself looked like malware, not its delivery. It was titled "Looking Glass", with the description of "MY REALITY IS DIFFERENT THAN YOURS". It didn't describe what it was or what it was doing there, instead it used a tagline literally out of a hacker drama.
Auto-installing looking glass was a mistake because it was a part of an ad campaign, and the targeted userbase would have installed it themselves. It served no purpose to Mozilla or Firefox's users, and it looked scary. Were it named "Firefox Looking Glass" with the description "Enable in about:config to take part in the Mr. Robot ARG" the headlines would have been very different.
To clarify. Firefox performs studies, which collect non-user-identifiable data that is used to direct how Firefox is developed. They do not hide the fact that this happens, which would be trivial for them to do. They announce in great detail what they are doing. They publicly comment on what they are doing to clarify misconceptions. If that isn't something you are happy with, I'm sorry to say Firefox does not have the kind of privacy policy you're looking for.
Yeah, I knew nothing about what it was when I made the original post, but later I've found out and made a comment with their apology.
I think the point that is lost on a lot of people is that the problem is not what these do (which is fine and boring), but that they can install arbitrary code that runs without your permission.
Every piece of software you use that has an auto-updater can install and run arbitrary code on your computer. So long as the maintainers have good security and you maintain trust in them, this isn't an issue. Given that browsers are literally built to download and execute arbitrary code from the internet, it's important to have a well-maintained and up-to-date browser to to keep that all secure.
Mozilla is open source, transparent, and has operated on good faith for decades with the worst controversies paling in comparison to what their competition does and gets away with on a daily basis. So I choose to trust Mozilla by installing and running their browser and allowing it to auto-udate.
It says a lot that Mozilla is held to such a standard that a story about Mozilla running basic telemetry in their browser is controversial when their biggest competitor by far, Google, is also the biggest violator of user privacy by far, and is taking steps to allow them to track near everyone on the internet by forcibly taking over web hosting with AMP.
I don't use any software that auto-updates and installs arbitrary software (aside from Firefox).
Any software with an auto-updater asks me if I want to enable it, and doesn't make me change some obscure about:config flag to disable it. Forcing me do do that breaks my security model, where all of my software flows through my distro's repository maintainers who I do trust. I install software from there, and update it from there; the software does not get to download and run arbitrary code.
Which I think is a bad thing. I disable JS for all but a few sites who I trust.
It comes down to this: Trust should be opt-in, not opt-out. I don't automatically trust you, you build up trust over time by demonstrating you are trustworthy. In general, you're right; Mozilla is a decently trustworthy organization. Like I said in my original comment, the key word here is that they do these things "without your permission". If they asked me and I said yes, then that's all well and good. But don't assume I am okay with it.
All it takes is a simple yes/no dialog. And here's the thing, most of the time when a program asks if it can connect telemetry, I say yes. My issue is not with the action, but simply that they do not ask my permission for the action.
Opt-in for updates absolutely does not work for web browsers. That was the model they all essentially operated on for decades and it was not only a giant PITA for webdevs because of the insanely slow version adoption rates that resulted in, requiring a ridiculous amount of custom workarounds in order to support out of date browsers, but it was also incredibly detrimental to the ecosystem of the net as a whole, both in terms of security and web standards progress. And those are precisely the reasons every major browser now features automatic update enabled by default and will likely never go back... nor should they IMO.
I feel like if this level of obfustication was being employed by Microsoft or Google the outrage would be more significant.
The fact they are doing it like this, hidden extension with hidden opt out config value in the already less accessible advance settings is shady stuff and would expect better Mozilla.
Do these show up in about:addons?
You have to click on the gear icon on the top and then click "debug addons". They are hidden.
Thanks. I don't have those two addons.