Feeds

Firefox add-on with 7m downloads can invade privacy

Ant Video secretly tracks every website visited

Securing Web Applications Made Simple and Scalable

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said.

The undisclosed behavior of the Ant Video Downloader and Player add-on takes place even when the Firefox private browsing mode is turned on or when users are availing themselves of anonymity services such as Tor. The add-on carries a rating of four out of five possible stars and gets an average of almost 7,000 downloads per day, according to official Mozilla statistics.

The revelations raise new questions about the safety of extensions offered on Mozilla's website. A spokeswoman for the open-source developer said the media player, like all public extensions not designated experimental, was vetted to make sure it meets a list of criteria. Chief among them is that add-ons "must make it very clear to users what [privacy and security] risks they might encounter, and what they can do to protect themselves."

"We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication," the spokeswoman wrote in an email. "While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this."

In the meantime, the add-on is available for download on Mozilla's site with no warning.

Messages left through a submission form on Ant.com, where a stand-alone version of the software is hosted, weren't returned. Attempts to reach the developers through other channels weren't successful.

The stealth tracking came to the attention of Simon Newton while he was diagnosing problems with a web application he was in the middle of developing. When he fired up a packet sniffer, he discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com, which used an IP address owned by the Reality Check Network Corp. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier.

Newton quickly linked the behavior to the the Ant Video add-on installed on the PC. He said packets captured during a recent visit to El Reg looked like this:

POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 327
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD8409A7FB79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://www.theregister.co.uk/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD8409A7FB79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}HTTP/1.1 200 OK

Ant.com servers responded with the following:

Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:19:09 GMT
{"version":"1.0","id":1,"code":0,"result":"4,086"}

Interestingly, the unique identifier of Newton's PC didn't change even after he removed the add-on and reinstalled it. The only way he was able purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.

"As there is this unique identifier, patterns could be built up about where I go -- for example if I use my laptop at work, at a public wifi hotspot, at home or a friends house -- that [UUID] and cookie can be tied to all of those IP addresses, building a picture of not only what I am doing online, but where I am doing it from," he wrote in a blog post published on May 10.

"What alarms me a bit more is that the data that is transmitted about me and my browsing (even anonymously) is going onto servers in New York, USA," he continued. "What if I were visiting [a] site I did not want anyone to know about? What if the US government subpoena 'Reality check network corp' for all information stored on their servers about my IP address, cookie, or UUID?"

Newton said he tried contacting the add-on's developers to find out if the snoop behavior is the result of a bug, but so far no one has responded to a personal message or his blog post.

The larger lesson here is that just because a Firefox add-on has been subjected to Mozilla's official vetting process there is no guarantee it doesn't do things that many users consider to be invasions of their privacy. With at least 5,000 add-ons hosted on its site, it wouldn't be shocking to find out that Ant Video isn't the only extension that comes with a few nasty surprises. ®

Update

As of late Thursday night California time, the Ant Video Downloader was no longer available on Mozilla's site.

"The page or file you requested wasn't found on our site," the page where the add-on had been located read. "It's possible that you clicked a link that's out of date, or typed in the address incorrectly."

The error message didn't elaborate.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.