A popular Firefox add-on named Ant Video Downloader and Player that has over 7 million downloads has been said to secretly collect data about every website the user visits and sends the information back to its developer without the user’s knowledge. The tracking is said to happen even when private browsing mode is tuned on or when users are using anonymous services such as Tor.
A web application developer, Simon Newton happened to discover the undisclosed behavior of the add-on when he fired up a packet sniffer and discovered that information about every single HTTP request his PC made was being sent to a server at rpc.ant.com. The data included the external website or internal server being accessed, the time, the browser details, and several persistent browser cookies that contained a Universally Unique Identifier. The unique ID could easily be traced back to his computer.
Further, the unique identifier didn't change even after he removed the add-on and reinstalled it. The only way to purge the tracking ID was to completely revert Firefox to its original settings and then reinstall the Ant Video extension.
The disturbing part is the add-on is hosted on Mozilla’s servers and is said to be reviewed by the staff. The new revelations raise new questions about the safety of extensions offered on Mozilla's website.
A member from the add-ons team at Mozilla said at a discussion at Hacker News:
How can an add-on that tracks the user across the web is not a policy violation is beyond me, especially when Mozilla were the first to propose the Firefox 'Do Not Track' feature.
The spokesperson further adds,
In short, Mozilla is thrusting the responsibility of protecting oneself from rogue add-ons back on the users. But you can't blame the users since they are installing from a Mozilla page and trusting the brand.
Meanwhile, users who are using the Ant Video Downloader extension and do not wish to be tracked, should uninstall it immediately and look for an alternative.