Ant Video Downloader Firefox Add-on Secretly Tracks Your Browsing History
A popular Firefox add-on named Ant Video Downloader and Player that has over 7 million downloads has been said to secretly collect data about every website the user visits and sends the information back to its developer without the user’s knowledge. The tracking is said to happen even when private browsing mode is tuned on or when users are using anonymous services such as Tor.
A web application developer, Simon Newton happened to discover the undisclosed behavior of the add-on when he fired up a packet sniffer and discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier. The unique ID could easily be traced back to his computer.
Further, the unique identifier didn't change even after he removed the add-on and reinstalled it. The only way to purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.
The disturbing part is the add-on is hosted on Mozilla’s servers and is said to be reviewed by the staff. The new revelations raise new questions about the safety of extensions offered on Mozilla's website.
A member from the add-ons team at Mozilla said at a discussion at Hacker News:
We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication. While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this.
How can an add-on that tracks the user across the web is not a policy violation is beyond me, especially when Mozilla were the first to propose the Firefox 'Do Not Track' feature.
The spokesperson further adds,
Add-ons publicly available in our gallery have been reviewed for security problems, and add-ons that aren't marked as experimental have been fully reviewed for a range of other issues as described in our hosting policies. Because developers set their own privacy policies and can update them any time, it is more difficult for us to review them for compliance with their own rules. We encourage users to always read an add-on's privacy policy if one is provided and to use the Report Abuse link if anything suspicious is noticed.
In short, Mozilla is thrusting the responsibility of protecting oneself from rogue add-ons back on the users. But you can't blame the users since they are installing from a Mozilla page and trusting the brand.
Meanwhile, users who are using the Ant Video Downloader extension and do not wish to be tracked, should uninstall it immediately and look for an alternative.
[via The Register, Hacker News]
No, what this sadly and infuriatingly represents is that FireFox got paid. By Ant. In an about face by Mozilla concerning how they'll look out for their end users, and just like Facebook, that fat paycheck made them look the other way to 'showcase' the nefarious Ant add-on. And now that you found it, why won't Firefox outright remove it from their hosting page? There is no other reason plausible than: They got paid. Absolutely disgusting.