Malware addon

I don’t understand why this addon is still listed in the AMO gallery:

It is been around for a year or so and there are already 75K users infected. It is injecting 100+ scripts to EVERY page you visit and requesting permissions like this:

• Access your data for all website
• Exchange messages with programs other than Firefox
• Input data to the clipboard
• Download files and read and modify the browser’s download history
• Open files downloaded to your computer

when it should be a simple downloader working just on you *.youtube.com

I totally agree. There should be a strict check for powerful permissions like “<all_urls>” and those without clear relevant usage should be blocked.

Since 5 days ago Google has new policy in place regarding Chrome extensions that forbid this behavior:

We’re requiring extensions to only request access to the appropriate data needed to implement their features. If there is more than one permission that could be used to implement a feature, developers must use the permission with access to the least amount of data. While this has always been encouraged of developers, now we’re making this a requirement for all extensions.

It would be nice to see it here. Until then, I guess all we can do is report such extensions.

PS: some nice reading how fake Adblock addons can make millions USD a month:
https://adguard.com/en/blog/fake-ad-blockers-part-2.html

Firefox now make nice improvements on security. But there is still a few addons like this one that should not be listed. I really dont like that only the featured addons appear in the homepage as they are a little bit limited and some of them are worse than other not featured. But overall I think it is safer than google chrome store at the moment.

I’m not qualified to review add-ons, but unless it is either exfiltrating user data or monetizing users without consent, the fact that it is poorly designed and has the potential for abuse might not be a good enough reason to block/remove it.

Oh really? an addon that injects you 100 javascripts scripts to every page you visit and breaks your browser to a point tha tyou need to restart your computer. Is it not a reason to block this addon? So what should be a reason in your opinion?

Also an addon that should be working only in youtube.com domain but it is injecting 100 files in every page. An addon that has permission to download files for you and not only this, it has permission to also open and execute the download files for you.

I didn’t see that issue mentioned in the reviews. If an extension works poorly on some systems, it’s quite easy for users to disable or remove it.

If there is a general performance or stability problem that affects a large number of users, of course it would make sense to disable the extension so there can’t be new installs. However, I don’t know whether it would be grounds to delete it from AMO or block it (meaning, disabling it in existing installs by adding it to the block file).

Has anyone looked at the 100 scripts/files to see what they do?

I don’t use this category of extensions myself, but I notice many video downloaders have broad host permissions, perhaps related to embedded videos or diverse media hosting server addresses.

https://www.jeffersonscher.com/sumo/extensions.php#q=youtube%20download (my search tool show permissions on the side)

Someone more familiar with how these extensions work would need to look at it.

Just a note that I do believe in minimizing permissions and do that on my own extensions. If optional permission requests – the ability to add individual sites after installation – were easier to integrate into popups (the panels that drop from the toolbar), I think they would be more attractive to developers. (request method is not available except from an extension’s Options page or the Add-ons page - MDN)

Is this your extension? I really can’t believe you are defending this extension, when even my antivirus detect it as a malware.

This kind of addon should have permissions only for youtube.com (it doesn’t work in any other page nor embeded videos, did you even try it?). And of course it doesn’t need permission to open the files you download to your computer, nor communciate with apps in your computer other than firefox.

Hey folks, we’re looking into this.

I can’t defend this extension, as I haven’t review it. However, until you related this new fact, you hadn’t actually provided any basis for believing that the extension was doing anything wrong.

Is the detection for the extension itself or for a companion application you are supposed to download?

It’s hard to review when there is 100+ content scripts. As you previously stated, it’s not poorly designed, it’s actually designed this way to make it more difficult to debug. It was adding a js in every page I visit, but now it stopped this behaviour, probably it’s remote code and they can pause it.

Hi Folks,

thank you for the interest in this add-on and helping to keep the add-ons ecosystem safe. I agree with jscher2000 in that the design and use of many content scripts is not something we automatically block for. I’d invite you to take a look at our policies to see under which conditions we’d reject or block an add-on.

As Caitlin mentioned, we are looking into this add-on to see if there are policy violations. We will take the appropriate action for this add-on, please note that we cannot disclose information about the results or reasoning.

One final thing: It has come to our attention that the add-on has received a number of negative reviews following this post. I’d ask readers of this post to avoid jumping to conclusions. If the add-on is acting by our policies, it would be unfair to the developer to receive negative ratings for alleged violations. You are welcome to tell the developer about your experience with this add-on, but please keep it friendly and check your facts.

Thank you for your support.

Hi,

I’m the owner of this Add-on, my name Geane and I would like to participate in this conversation please.

So to clear things up and to resolve this issue, let me explain please:

Scripts issue:
The fact that this Add-on has a lot of scripts loaded into it, is simply an architectural design, it has nothing to do with malicious acts or affecting performance.
One should be aware of the difference between a website and an Add-on -
Website - loading a lot of scripts that are not bundled together on a WEBSITE will create a performance hit due to the amount of the HTTP Requests the browser will have to make.
Add-on - upon installation, the user downloads the Add-on itself into his/hers computer and loading a lot of files will not affect performance as they are loaded from the local computer’s hard-drive which is very fast and unnoticeable.

In terms of design:
The Add-on’s code can easily be viewed, it has a lot of scripts, all broken into modules which makes design easier, more effective and less prone to bugs.
That’s how you usually should write programs, the only difference between a website and an Add-on, is that for a website, you should bundle all the files into one single file to improve performance (reason explained above), for an Add-on, there is no need.

Having said that, if Mozilla decides this is a performance issue, I will definitely create a new version that bundles all scripts into one file.

Permissions issue:
“Exchange messages with programs other than Firefox” - this is requested because this Add-on works with a native application, although, the user doesn’t have to install the application which makes this permission redundant.

“Input data to the clipboard” - this allows the user to copy the link into the clipboard if they wish to.

“Open files downloaded to your computer” - this was supposed to be used to open the native application once downloaded into the user’s computer, however, it is not used and will be removed - I accept the criticism here!

“Display notifications to you” - if the user installs the native application, every time it finishes its work, it notifies them - this makes a nice user experience.

“Access browser tabs” / “Access browser activity during navigation” - this helps detect relevant pages as they are loaded.

“Download files and read and modify the browser’s download history” - that’s the permission to download files.

“Access browsing history” - this is not used yet at the moment and is meant to clear a bit the download history when multiple files are downloaded. I might remove it.

“Access your data for all websites” - the big permission, the one that scares people - although this video downloader is specific for one website, the detection algorithm is complex and requires a few more domains as the videos are served from different locations as “jscher2000” pointed out (thanks jscher2000! :))
But most importantly, it is there because these domains are prone to change and have historically if I remember correctly.
It is impossible to anticipate ahead of time which domains will be needed for future detection.
This permission is used very responsibly to not affect all other irrelevant websites.
A lot of video downloaders such as this use this permission, it’s not uncommon.

Having said all that, I will look into narrowing the permissions a bit as I can understand they might look scary.

The Add-on breaking the browser:
Do you have relevant facts to this accusation ?
I have never received a single complaint about performance, well, except yours.

Regarding executing and opening files downloaded into your computer:
I will remove this permission as noted before, however, it’s currently not used at all.
You may look for “downloads.open” in the Add-on’s code, that line is commented and not used.
Also, it can only be invoked by a “user action” - and there are none currently.
You may read about it here -

Communication with a native application:
This is optional, the user may want more options that are not possible from the extension itself.
If the user doesn’t download/install the companion app, this permission becomes unusable.
A native app is common, “Video DownloadHelper” uses one.

Anti-virus detection:
I don’t know in which circumstances you claim your Anti-virus detected this Add-on as a virus.
When it comes to security, AMO’s platform/reviewers are responsible for handling any malware/malicious Add-ons and they have reviewed my Add-on a few times already.
Also, “WebExtensions” by design is very secure.

Regarding negative reviews:
These are most likely spam, Mozilla will investigate it.
They started last month.
It’s very easy to abuse AMO when it comes to reviews.

I hope that clears everything up.

Thanks for listening,
Geane.