Feeds

Firefox add-on with 7m downloads can invade privacy

Ant Video secretly tracks every website visited

Secure remote control for conventional and virtual desktops

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said.

The undisclosed behavior of the Ant Video Downloader and Player add-on takes place even when the Firefox private browsing mode is turned on or when users are availing themselves of anonymity services such as Tor. The add-on carries a rating of four out of five possible stars and gets an average of almost 7,000 downloads per day, according to official Mozilla statistics.

The revelations raise new questions about the safety of extensions offered on Mozilla's website. A spokeswoman for the open-source developer said the media player, like all public extensions not designated experimental, was vetted to make sure it meets a list of criteria. Chief among them is that add-ons "must make it very clear to users what [privacy and security] risks they might encounter, and what they can do to protect themselves."

"We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication," the spokeswoman wrote in an email. "While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this."

In the meantime, the add-on is available for download on Mozilla's site with no warning.

Messages left through a submission form on Ant.com, where a stand-alone version of the software is hosted, weren't returned. Attempts to reach the developers through other channels weren't successful.

The stealth tracking came to the attention of Simon Newton while he was diagnosing problems with a web application he was in the middle of developing. When he fired up a packet sniffer, he discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com, which used an IP address owned by the Reality Check Network Corp. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier.

Newton quickly linked the behavior to the the Ant Video add-on installed on the PC. He said packets captured during a recent visit to El Reg looked like this:

POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 327
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD8409A7FB79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://www.theregister.co.uk/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD8409A7FB79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}HTTP/1.1 200 OK

Ant.com servers responded with the following:

Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:19:09 GMT
{"version":"1.0","id":1,"code":0,"result":"4,086"}

Interestingly, the unique identifier of Newton's PC didn't change even after he removed the add-on and reinstalled it. The only way he was able purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.

"As there is this unique identifier, patterns could be built up about where I go -- for example if I use my laptop at work, at a public wifi hotspot, at home or a friends house -- that [UUID] and cookie can be tied to all of those IP addresses, building a picture of not only what I am doing online, but where I am doing it from," he wrote in a blog post published on May 10.

"What alarms me a bit more is that the data that is transmitted about me and my browsing (even anonymously) is going onto servers in New York, USA," he continued. "What if I were visiting [a] site I did not want anyone to know about? What if the US government subpoena 'Reality check network corp' for all information stored on their servers about my IP address, cookie, or UUID?"

Newton said he tried contacting the add-on's developers to find out if the snoop behavior is the result of a bug, but so far no one has responded to a personal message or his blog post.

The larger lesson here is that just because a Firefox add-on has been subjected to Mozilla's official vetting process there is no guarantee it doesn't do things that many users consider to be invasions of their privacy. With at least 5,000 add-ons hosted on its site, it wouldn't be shocking to find out that Ant Video isn't the only extension that comes with a few nasty surprises. ®

Update

As of late Thursday night California time, the Ant Video Downloader was no longer available on Mozilla's site.

"The page or file you requested wasn't found on our site," the page where the add-on had been located read. "It's possible that you clicked a link that's out of date, or typed in the address incorrectly."

The error message didn't elaborate.

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.