Saturday, May 21, 2011

Ant Video Downloader Firefox Add-on Secretly Tracks Your Browsing History

A popular Firefox add-on named Ant Video Downloader and Player that has over 7 million downloads has been said to secretly collect data about every website the user visits and sends the information back to its developer without the user’s knowledge. The tracking is said to happen even when private browsing mode is tuned on or when users are using anonymous services such as Tor.

antvideo

A web application developer, Simon Newton happened to discover the undisclosed behavior of the add-on when he fired up a packet sniffer and discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier. The unique ID could easily be traced back to his computer.

Further, the unique identifier didn't change even after he removed the add-on and reinstalled it. The only way to purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.

The disturbing part is the add-on is hosted on Mozilla’s servers and is said to be reviewed by the staff. The new revelations raise new questions about the safety of extensions offered on Mozilla's website.

A member from the add-ons team at Mozilla said at a discussion at Hacker News:

We've looked into the Ant Video Player and found that it does send information about websites users visit in order to power its ranking feature displayed for each website, and also includes a unique identifier in this communication. While this does not violate our policies, we do require it to be disclosed in the privacy policy and the add-on's description. We have contacted the developer and asked them to correct this.

How can an add-on that tracks the user across the web is not a policy violation is beyond me, especially when Mozilla were the first to propose the Firefox 'Do Not Track' feature.

The spokesperson further adds,

Add-ons publicly available in our gallery have been reviewed for security problems, and add-ons that aren't marked as experimental have been fully reviewed for a range of other issues as described in our hosting policies. Because developers set their own privacy policies and can update them any time, it is more difficult for us to review them for compliance with their own rules. We encourage users to always read an add-on's privacy policy if one is provided and to use the Report Abuse link if anything suspicious is noticed.

In short, Mozilla is thrusting the responsibility of protecting oneself from rogue add-ons back on the users. But you can't blame the users since they are installing from a Mozilla page and trusting the brand.

Meanwhile, users who are using the Ant Video Downloader extension and do not wish to be tracked, should uninstall it immediately and look for an alternative.

[via The Register, Hacker News]

5 comments:

  1. No, what this sadly and infuriatingly represents is that FireFox got paid. By Ant. In an about face by Mozilla concerning how they'll look out for their end users, and just like Facebook, that fat paycheck made them look the other way to 'showcase' the nefarious Ant add-on. And now that you found it, why won't Firefox outright remove it from their hosting page? There is no other reason plausible than: They got paid. Absolutely disgusting.

    ReplyDelete
  2. I stumbled onto this post while Googling for 'alternative to Ant Video Downloader". It was performing well for the most parts except that it was not able to detect/download some videos on a website. Was shocked to learn of this potential security risk. I don't consider myself a techie...so I was hoping the author could enlighten me in layman terms, what are the potential damage the Ant Video software can inflict on unsuspecting users? e.g. snoop credit card details??? see my ID/paswords to paypal or shoppingcart purchases??...

    For your consideration.

    ReplyDelete
  3. No, it cannot steal your credit card details or see your passwords, but it does know every website you visited. It's like they have access to your browser history. Other than breaching user's privacy, Ant Video Downloader cannot inflict financial damage on users.

    Still, I recommend you use Video DownloadHelper.

    ReplyDelete
  4. ANT no longer works with FireFox 18 anyway.

    ANT = Delete

    ReplyDelete
  5. First of all I invite to read Ant.com Privacy Policy, which can be found here: http://www.ant.com/privacy-policy.

    Moreover, if a user does not wish to share any sort of information for statistics purposes, he is very welcome not to do so.

    The procedure is super simple: Preferences > Privacy Settings > Uncheck the boxes below.

    The incompatibility issue with Mozilla Firefox version 18.0 has been solved in a new version of Ant.com Downloader version 2.4.7.5.

    Hope you have the very lovely day.

    Regards,
    Ant V

    ReplyDelete