Spyware found in (Coral) IE Tab Plus (3.6) - 1.95

[patrickjdempsey]

I'm not sure I see the point in filing a bug on IE Tab Plus. The author just hooked up a monetization deal with SuperFish which AMO has hosted since January and who are soliciting authors in the AMO forums.

[patrickjdempsey]

I'm not sure I see the point in filing a bug on IE Tab Plus. The author just hooked up a monetization deal with SuperFish which AMO has hosted since January and who are soliciting authors in the AMO forums.

[the-edmeister]

https://addons.mozilla.org/en-US/firefox/addon/13780/ - I wonder how the hell that POS got "Featured" status? And now with SuperFish pimping itself to other addon authors - https://forums.addons.mozilla.org/viewt ... =Superfish - maybe the time has come for another "user campaign" to rid AMO of that and other garbage?


Ed

[Gopher John]

Perhaps Mozilla could police this themselves via https://www.mozilla.com/en-US/blocklist/ or something similar.

If spyware at AMO becomes prevalent and/or is added to my chosen extensions, that would be enough to move away from Firefox to Opera as my default browser. After all, the customization offered by extensions is what attracts users to Firefox. If one cannot trust the extensions, it's a lost cause.

[Helper7677]

Developer of IE Tab Plus (FF3.6+) violated Developer Agreement by not posting the required information within first bulleted item under #1: https://addons.mozilla.org/en-US/develo ... /agreement

Text of my e-mail to amo-admins at mozilla.org on 10/19/2010:

Suggest banning this add-on due to violation of policy stated:

1. Responsibility Re AMO Contributions. You represent and warrant that:

if any information about the user or usage of the AMO Contribution is collected or transmitted outside of the user's computer, the details of this collection will be provided in the description of the AMO Contribution and you will provide a link to a privacy policy detailing how the information is managed and protected;

IE Tab Plus (FF3.6+) add-on page: https://addons.mozilla.org/en-US/firefox/addon/10909/

I will find another add-on or method rather than use this add-on again.

See discussion on this topic on Mozillazine forum: viewtopic.php?f=38&t=2014247

------end of e-mail text

[houdini65]

@Helper7677
First thing, I hate that they put these things in the addon's! After reading your post and then their privacy policy, I uninstalled IE Tab Plus (FF3.6+), and then re-installed it. The basic version does not violate any policies since it's free of anything above what is stated in the privacy policy.

Only when you choose either the "Featured Mode" or "Full Mode" are you installing the Price Comparison feature. There is a privacy policy link in blue that takes you to http://www.superfish.com/privacy.jsp. The page that tells you about the additional information that is gathered.

This is the rub. Your agreeing to the so called "secret spyware", so the only person responsible for it being on the PC is the one who didn't read all the documentation.

It truly sucks that developers are doing this, but these days people are hurting for cash. When was the last time any of us clicked on the contribute button? Outfits like superfish are a way to get it, and they are aggressively going after developers since they need money too.

[malliz]

Can we not do the huge type thing please? After all it is considered rude and ill mannered to use it on forums.

[neurohax]

Perhaps Mozilla could police this themselves via https://www.mozilla.com/en-US/blocklist/ or something similar.

If spyware at AMO becomes prevalent and/or is added to my chosen extensions, that would be enough to move away from Firefox to Opera as my default browser. After all, the customization offered by extensions is what attracts users to Firefox. If one cannot trust the extensions, it's a lost cause.

Long time 'lurker' on the forums and this topic finally drove me to register. This statement hits the nail on the head. I like Chrome, think Opera had some nice and unique features, and even IE has its pluses (in recent versions), but the two things that keep me using FF are the addon support and addon library. If I cannot trust the developers or maintaining those addons becomes too time consuming, then that will be the day I jump ship. Those two factors are directly related - if the trust is lost, then I have to comb over every add on installed and updated, which takes time. Too much time with the crazy release schedules some of the addons have.

The most basic level of trust is to assume that someone isn't acting in a way that hurts you because it helps them. What does rendering a page in another browser engine or converting a file have to do with price comparisons? Nothing. Why is it being done? To make the dev money. How is it hurting me? It's slowing down my system, creating a security risk, and making my browsing experience worse. It's that simple.

Otherwise, what's stopping someone from pulling a one time scam? Make an add on that between the hours of 2-5am throws up 1000s of affiliate linked click through ads and run an autoclick script. Solicit addon devs and just make sure that the payoff is greater than what you offer them. (I pay you $100 to install my add on with yours, knowing that you have 300 users, which would net me $500 in late night revenue. You hate me, I don't care, I collect $400.) Heck, the 'host' add on just has to be updated to get rid of your parasitic money scheme, and most users will find it forgivable (oops, sorry, install was infected. update plz).

Anyhow, yeah, slippery slopes are slippery. This bodes badly for FF.

[neurohax]

@Helper7677
First thing, I hate that they put these things in the addon's! After reading your post and then their privacy policy, I uninstalled IE Tab Plus (FF3.6+), and then re-installed it. The basic version does not violate any policies since it's free of anything above what is stated in the privacy policy.

Only when you choose either the "Featured Mode" or "Full Mode" are you installing the Price Comparison feature. There is a privacy policy link in blue that takes you to http://www.superfish.com/privacy.jsp. The page that tells you about the additional information that is gathered.

This is the rub. Your agreeing to the so called "secret spyware", so the only person responsible for it being on the PC is the one who didn't read all the documentation.

It truly sucks that developers are doing this, but these days people are hurting for cash. When was the last time any of us clicked on the contribute button? Outfits like superfish are a way to get it, and they are aggressively going after developers since they need money too.

Except it doesn't install AdBlockPlus. It make the situation sound like, "Advanced Mode lets you use some aspects of FF addons you might have installed, like AdBlockPlus or, as another example, some price comparison addon you might have." If never mentions Superfish or WindowShopper by name or that the price comparison program is part of IETab. It further reduces suspicion by not having a single other setting that deals with 'price comparison'. What most people will think, and what I thought, was, "Oh, IE Tab Plus update. I must have forgot to set this to advanced or the settings were reset because I have used it on the advanced setting for the past 2 years. I'll just set it back. Back to the rest of my life that doesn't usually involve pulling knives from my back."

It was scummy. It _might_ be somehow justifiable but it just oozes deception. I'll be uninstalling any addons from those devs and actively ensuring people I work with do the same.

[GTryder]

I'll be uninstalling any addons from those devs and actively ensuring people I work with do the same.

While you're in process of suggesting/uninstalling junk "add-ons", you might have a look at that notably troublesome Google Toolbar that you have installed.

[Helper7677]

houdini65,

Perhaps, you got into this a little late. I installed the update as soon as it was available.

@Helper7677
Only when you choose either the "Featured Mode" or "Full Mode" are you installing the Price Comparison feature.

In the initial install on my system the "Featured Mode" (the Shopping Helper) was enabled by default. That has now been changed, apparently.

@Helper7677
There is a privacy policy link in blue that takes you to http://www.superfish.com/privacy.jsp. The page that tells you about the additional information that is gathered.

If you are talking about the "View Privacy Policy" link just under "Add to Firefox" on this page: https://addons.mozilla.org/en-US/firefox/addon/10909/ , it takes you to the privacy policy page for IE Tab Plus (FF3.6+), not superfish. I see no other link on the above referenced page dealing with privacy policy. Please point out the link that takes a user to the superfish privacy policy.

@Helper7677
This is the rub. Your agreeing to the so called "secret spyware", so the only person responsible for it being on the PC is the one who didn't read all the documentation.

I am a long time user of Firefox and Netscape prior to Firefox, always read all the documentation for add-ons, and stress strongly that others do the same. There was originally no mention of the spyware being added.

In addition, all of the following has been added to https://addons.mozilla.org/en-US/firefox/addon/10909/ ,since this discussion began:

NOTE: Since v1.95.20100930 it contains the Window Shopper plugin provided by superfish. It is defaultly disabled and will only be enabled in "Featured Mode" or "Advanced Mode". However, if you really don't like this extra plugin, it is suggested to uninstall this version and try a clean version: IE Tab Plus v1.95.20100930 (FF 3.6+, No Adware, Absolutely Clean), from AMO. This version is as clean as the old versions.

Have you checked your C:...\Application Data\Mozilla\Firefox\Profiles\unique.default\extensions\ietab@ip.cn\components folder? There should be only one item, nsIeTabWatchFactory.js in that folder. The initial install had 4 superfish items added in that folder as stated in the first post in this thread.

If it becomes necessary that I check every file in every folder for a Firefox add-on, maybe it is time for me to start considering finding another browser after preferring Netscape, then Firefox for many, many years.

[houdini65]

houdini65,

Perhaps, you got into this a little late. I installed the update as soon as it was available.

I installed v1.93.20100725 on 8/15 then 1.93.20100930 on 10/5. So I've known about the issue for a long time. Actually helping one person eliminate it prior to the fixed v1.96.20101021 being posted.

@Helper7677
Only when you choose either the "Featured Mode" or "Full Mode" are you installing the Price Comparison feature.

In the initial install on my system the "Featured Mode" (the Shopping Helper) was enabled by default. That has now been changed, apparently.

When I installed it, the "Featured Mode" (the Shopping Helper) was selected by default also, but you can choose one of the others, nothing is forcing you into the featured mode. I selected Full Mode myself, only because Adblock Plus was supported, otherwise I would have used basic mode.

@Helper7677
There is a privacy policy link in blue that takes you to http://www.superfish.com/privacy.jsp. The page that tells you about the additional information that is gathered.

If you are talking about the "View Privacy Policy" link just under "Add to Firefox" on this page: https://addons.mozilla.org/en-US/firefox/addon/10909/ , it takes you to the privacy policy page for IE Tab Plus (FF3.6+), not superfish. I see no other link on the above referenced page dealing with privacy policy. Please point out the link that takes a user to the superfish privacy policy.

For reference purposes, I have v1.93.20100930 with (Shopping Helper) installed. Since I don't know which version you have.
Open the list of installed addon's, Select IE Tab Plus > Select Options > The "Option Box" opens. There you have the three options: Basic, Featured Mode and Full Mode. Look to the right side of the "Option Box". Privacy Policy is shown.

It should have been on the page you were referencing and it's a crappy way of slipping it in, but it's there. It takes you here. http://www.superfish.com/privacy.jsp

@Helper7677
This is the rub. Your agreeing to the so called "secret spyware", so the only person responsible for it being on the PC is the one who didn't read all the documentation.

I am a long time user of Firefox and Netscape prior to Firefox, always read all the documentation for add-ons, and stress strongly that others do the same. There was originally no mention of the spyware being added.

If you go to http://coralietab.mozdev.org/installation.html scroll down to "What's New In v1.93.20100725:"
[NEW] Add a built-in Window Shopper online utility (See "ExternalApplications" in options)
Then there's that privacy policy I mentioned earlier.

[/quote]

Have you checked your C:...\Application Data\Mozilla\Firefox\Profiles\unique.default\extensions\ietab@ip.cn\components folder? There should be only one item, nsIeTabWatchFactory.js in that folder. The initial install had 4 superfish items added in that folder as stated in the first post in this thread.

I do have 4 additional files, I checked there after the install on 10/5. I look at them, and they collect the info listed in the second privacy policy, which is too much information in my opinion. But is blocked by NoScript and was also in my modified HOSTS file. 127.0.0.1 http://www.superfish.com

If it becomes necessary that I check every file in every folder for a Firefox add-on, maybe it is time for me to start considering finding another browser after preferring Netscape, then Firefox for many, many years.

I totally agree. I haven't been defending the extra crap in the addon, just pointing out that it was documented, albeit very badly.

[patrickjdempsey]

Just thought you guys should read the official Mozilla response to this:

https://forums.addons.mozilla.org/viewt ... =20&t=1960

[malliz]

We review all updates before they are published and we would probably detect something like that.

Aye and there's the rub

[patrickjdempsey]

He has mentioned that caveat in other discussions about the security of extensions. Basically, they can only guarantee that extensions do not include any *known* malicious code or exploits... but really, isn't that about all that any software vendor can promise? I mean, aside from just disconnecting the ethernet cable there's a limit to how paranoid you can be.