Crvtck.com-tracker in addons "Screengrab!" and "S3.Google Translator"

Add-ons
#1

I have found trackers in the addons “Screengrab!” and “S3.Google Translator”:

The addon “S3.Google translator” (at least version 5.35) and “Screengrab (fix
version)” (at least version 0.99.12) do contain a tracker. I tested with tis versions because I use Pale Moon browser, and not all Firefox addon (versions) are compatible with Pale Moon. But since it is a tracker I suspect it to be also in later versions and successor addons.

I report it here, to raise awareness for the responsible people so that they can investigate and take measures.

Here is what I observed:

When one of the addons is enabled, whenever I visit a new domain in a new tab (or revisit an
old one after some longer time), this is logged to crvtck.com, possibly
containing other data:

I see HTTP requests going out to URLs of the form

https://crvtck.com/get?key=<key>&out=https://kauflandstiftung.demdex.net&ref=https://www.kaufland.de&uid=o256&format=txt

<key> is a hex string with 32 characters.

#2

… I also notice POST requests to discount.s3blog.org:

http://discount.s3blog.org/addon.html?!POST:<string>
#3

Thank you for the report. Please make sure you try this in the latest version though, as policy issues may have been fixed in the meanwhile.

For reporting policy violations, it is better to contact amo-admins [at] mozilla [dot] org. If you have any followup on this case please contact us via email.

#4

Thank you for your answer.

I cannot test it with latest versions, since I
use pale moon, and the latest versions are not combatible with pale moon
(or the author just does not care to add compatibility information in
the metadata).

And I don’t see it as my duty to take big extra measures (compile and
install firefox, configure it, …) to test more; it was already some
time to dig this one out and find a place where to report it.

Thank you for sending me the Email address to report policy violations.

On Tue, 5 Jun 2018 20:53:14 +0000, Philipp Kewisch
discourse@mozilla-community.org wrote about “Re: [Add-ons]
Crvtck.com-tracker in addons “Screengrab!” and “S3.Google Translator””:

#5

Reported.

Also going to public authorities responsible for privacy violations.

I am thinking to report this also to the public authority in charge for
privacy violations. I think this is a privacy violation since data
about which websites the user visits is sent to somewhere without the
user beeing informed and presented with an opt-in. And this would mean
that probably the Mozilla Foundation would me made responsible because
they actively distribute the violating addon.

#6

Why is this addon still operational? I can confirm the tracking is still going on, which is what made me google search (http://discount.s3blog.org)
How bad is this and do I need to cancel all my credit cards/change all my passwords?

#7

Addon contains statistic collection, but this function is disabled by default
So you enabled the collection of statistics and unhappy with this?

#8

It was enabled for me after install,

I had to manually deactivate it & firewall the requests.

Maybe in newer versions it is disabled by default?

On Thu, 13 Dec 2018 15:19:15 +0000, dartraiden
discourse@mozilla-community.org wrote about “Re: [Add-ons]
Crvtck.com-tracker in addons “Screengrab!” and “S3.Google Translator””:

#9

It looks like you’re right. Newer versions immediately after installation open the page with the question “allow statistic collection or not?”

Btw, «S3.Google Translator» was removed from the AMO. Funny that it was removed at the very moment when it stopped collecting telemetry by default…