Feeds

Firefox add-on with 7m downloads can invade privacy

Ant Video secretly tracks every website visited

Protecting against web application threats using SSL

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said.

The undisclosed behavior of the Ant Video Downloader and Player add-on takes place even when the Firefox private browsing mode is turned on or when users are availing themselves of anonymity services such as Tor. The add-on carries a rating of four out of five possible stars and gets an average of almost 7,000 downloads per day, according to official Mozilla statistics.

The revelations raise new questions about the safety of extensions offered on Mozilla's website. A spokeswoman for the open-source developer said the media player, like all public extensions not designated experimental, was vetted to make sure it meets a list of criteria. Chief among them is that add-ons "must make it very clear to users what [privacy and security] risks they might encounter, and what they can do to protect themselves."

"We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication," the spokeswoman wrote in an email. "While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this."

In the meantime, the add-on is available for download on Mozilla's site with no warning.

Messages left through a submission form on Ant.com, where a stand-alone version of the software is hosted, weren't returned. Attempts to reach the developers through other channels weren't successful.

The stealth tracking came to the attention of Simon Newton while he was diagnosing problems with a web application he was in the middle of developing. When he fired up a packet sniffer, he discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com, which used an IP address owned by the Reality Check Network Corp. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier.

Newton quickly linked the behavior to the the Ant Video add-on installed on the PC. He said packets captured during a recent visit to El Reg looked like this:

POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 327
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD8409A7FB79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://www.theregister.co.uk/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD8409A7FB79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}HTTP/1.1 200 OK

Ant.com servers responded with the following:

Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:19:09 GMT
{"version":"1.0","id":1,"code":0,"result":"4,086"}

Interestingly, the unique identifier of Newton's PC didn't change even after he removed the add-on and reinstalled it. The only way he was able purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.

"As there is this unique identifier, patterns could be built up about where I go -- for example if I use my laptop at work, at a public wifi hotspot, at home or a friends house -- that [UUID] and cookie can be tied to all of those IP addresses, building a picture of not only what I am doing online, but where I am doing it from," he wrote in a blog post published on May 10.

"What alarms me a bit more is that the data that is transmitted about me and my browsing (even anonymously) is going onto servers in New York, USA," he continued. "What if I were visiting [a] site I did not want anyone to know about? What if the US government subpoena 'Reality check network corp' for all information stored on their servers about my IP address, cookie, or UUID?"

Newton said he tried contacting the add-on's developers to find out if the snoop behavior is the result of a bug, but so far no one has responded to a personal message or his blog post.

The larger lesson here is that just because a Firefox add-on has been subjected to Mozilla's official vetting process there is no guarantee it doesn't do things that many users consider to be invasions of their privacy. With at least 5,000 add-ons hosted on its site, it wouldn't be shocking to find out that Ant Video isn't the only extension that comes with a few nasty surprises. ®

Update

As of late Thursday night California time, the Ant Video Downloader was no longer available on Mozilla's site.

"The page or file you requested wasn't found on our site," the page where the add-on had been located read. "It's possible that you clicked a link that's out of date, or typed in the address incorrectly."

The error message didn't elaborate.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.