Mozilla removes all Avast Firefox extensions

F

ForgottenSeer 823865

I'm going to minimize my exposure and mitigate to a point that is not too cumbersome.... but accept that this is just part of internet usage.
That the only effective and easiest countermeasure.
Internet is like a city, sites are places, some are shops , some are public areas.
IRL, you don't walk around with a board where your name, address and other sensitive infos are written on it. so why do it online?
minimum exposure = increased privacy.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I wonder why people are so concerned about telemetry, most are anonymous datas needed by devs/companies to get precise infos on how their products behave and are used.

By logic, if you install a software on your system, it means you trust the vendor. So if if you trust it, why being so concerned by datas it may gathers...
Same logic, when you live with a roomate, you trust her with some personal details about your life.

As far as I know, the worst intrusive telemetry in extensions made by respectable companies would only collect, IPs, URLs and eventually your machine or browser profile name . They aren't (I hope) keyloggers.

Of course, it is better if they don't mine you, but it is up to them and their business plan (you have no control over it), however you can mitigate it via some methods if you feel uncomfortable.
I almost became a privacy wonk. Then I decided to just not use google for anything too private. Now life is easy. They make good tools and I’m not endlessly searching through broken alternatives. I think telemetry has become a fear mongering word in security software. Even the privacy focused brands use it, they just are upfront or promise to anonymize data. If someone really wants to track you they’ll get you, because you’re using windows...and the internet.
Also, I agree that the internet wasn’t built to be private, but more of a public place. I love the image of people walking around with cardboard boxes on their head so no one sees them and they don’t see the ads. :ROFLMAO:
 
Last edited:

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
Just in case you are curious: It's quite easy to figure out whether or not an extension is spying on you. In Firefox just go to this URL: about:debugging#/runtime/this-firefox

Then click "Inspect" next to the plugin:

1575562237458.png


This will open the usual web developer tools that you can also open with F12, but for the addon specifically. You can then pretty much just switch to the network tab and start browsing to sites. Any requests performed by the extension you are inspecting will show up in the network log and you can see exactly what kind of data is being transferred.

For TrafficLight for example, the extension will send every single URL you visit to Bitdefender:

1575562401055.png


Works for all extensions really and you don't have to blindly trust what the extension creator claims they send. Chrome has a similar tool IMHO, but I switched away from Chrome some time ago once they announced their breaking changes to ad blockers. Never looked back.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I wonder why people are so concerned about telemetry, most are anonymous datas needed by devs/companies to get precise infos on how their products behave and are used.

By logic, if you install a software on your system, it means you trust the vendor. So if if you trust it, why being so concerned by datas it may gathers...
Same logic, when you live with a roomate, you trust her with some personal details about your life.

As far as I know, the worst intrusive telemetry in extensions made by respectable companies would only collect, IPs, URLs and eventually your machine or browser profile name . They aren't (I hope) keyloggers.

Of course, it is better if they don't mine you, but it is up to them and their business plan (you have no control over it), however you can mitigate it via some methods if you feel uncomfortable.

I think there are varying degrees of trust. You generally live with and trust a roommate or domestic partner because you either have some expectation that they have the common decency not to be snooping around your important documents or doing forensic analysis on your hard drives while you're not home, or because you have such a relationship that you simply don't care even if they do.

I'm not sure people feel the same way about browser extensions. Those things more provide a service for me, and while to some extent I'm letting them run on my machine, it is within the confines of a browser sandbox and there's also frequently finer grained permissions with regards to what they are allowed to see or modify.

Capturing a detailed log of URLs can be problematic for many reasons. First, URLs often cannot be anonymized. For example, certain long URLs from Facebook images or cloud photo libraries actually do have your account ID embedded in them, which specifically identifies you, making anonymization difficult. Sometimes HTTPS sites will post your credentials directly as URL arguments to Javascript requests. Capturing those also reveals your credentials. And like with any cloud service, it degrades you of control over your data and allows other entities (either through legal subpoena or "cooperation") to request your data.

Third party security software is always a huge dilemma for me because it forces me to place absolute trust in yet another entity. I already have to do that with my OS vendor, and to some extent my browser vendor, sure. But a full blown internet security suite basically provides detailed logs about everything you're doing on your system.... and that requires me to place a lot of trust in the vendor that they are not easily compromised by ulterior motives and also that they are doing exactly what they say they're doing with that information.

I cannot tell you the number of times I've worked at a place where those principles go out the door when there's a business critical issue at hand.
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
I wonder why people are so concerned about telemetry, most are anonymous datas needed by devs/companies to get precise infos on how their products behave and are used.

By logic, if you install a software on your system, it means you trust the vendor. So if if you trust it, why being so concerned by datas it may gathers...
Same logic, when you live with a roomate, you trust her with some personal details about your life.

As far as I know, the worst intrusive telemetry in extensions made by respectable companies would only collect, IPs, URLs and eventually your machine or browser profile name . They aren't (I hope) keyloggers.

Of course, it is better if they don't mine you, but it is up to them and their business plan (you have no control over it), however you can mitigate it via some methods if you feel uncomfortable.
The problem is in some cases it's not anonymous and way, way more than what's needed to improve products.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Playing around with F-Secure: the Chrome extension sends the whole URL to a query on localhost, process owned by fshoster32. I tried hammering the endpoint with a bunch of URLs and did not notice any traffic outgoing from that process.

I suspect F-Secure is using a whitelist or tiered lookup system. I am expecting if I provide an esoteric enough URL it might trigger a cloud lookup but so far I've not been able to get that behavior to trigger.
 
F

ForgottenSeer 58943

I almost became a privacy wonk. Then I decided to just not use google for anything too private. Now life is easy. They make good tools and I’m not endlessly searching through broken alternatives. I think telemetry has become a fear mongering word in security software. Even the privacy focused brands use it, they just are upfront or promise to anonymize data. If someone really wants to track you they’ll get you, because you’re using windows...and the internet.
Also, I agree that the internet wasn’t built to be private, but more of a public place. I love the image of people walking around with cardboard boxes on their head so no one sees them and they don’t see the ads. :ROFLMAO:

Privacy is easier to control if you always maintain it, and vastly more difficult to recover once you lose it. This is a very important thing people often forget when they start throwing everything out there into public domain intel, then later realize it may have been a bad idea and try to roll everything back.

For me (and family) it is easy now since we really never allowed too much to get out there. Now 2, maybe 3 times I a year I do a quick search engine check on each of us. Often I will find 1-2, sometimes 3-4 new things popping up. Getting those nixed is trivial, just a couple of requests and the job is done. I always think of this like a boat.. It's easy to run the bilge pump on a boat to keep water from building up. But once the water supersedes the capabilities of the bilge pump it's basically going to sink, the only factor is how long it takes. So keep the privacy bilge pump running, not too paranoid, just aware and careful, and keeping things tidy is easy.
 
F

ForgottenSeer 823865

The thing with internet if your level of trust is very low, is that you don't have to use your real name and you can even have several accounts/profile, even Google let you do it . You can setup a profile with your real ID and restrict it only to sites that requires it (gov, etc...) while surfing on the anon one for the rest.

But don't forget the platform you are on, having tons of privacy tools on your PC to preserve your real ID, won't help you a dim if you use the same profile on Android device which doesn't offer as many tools.

As I keep saying, limit the amount of info you expose online is worth 10 times those extensions.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
The thing with internet if your level of trust is very low, is that you don't have to use your real name and you can even have several accounts/profile, even Google let you do it . You can setup a profile with your real ID and restrict it only to sites that requires it (gov, etc...) while surfing on the anon one for the rest.

But don't forget the platform you are on, having tons of privacy tools on your PC to preserve your real ID, won't help you a dim if you use the same profile on Android device which doesn't offer as many tools.

As I keep saying, limit the amount of info you expose online is worth 10 times those extensions.
You can also wear a bag over your head on the way to the porn shop :ROFLMAO: , which is basically what most people digitally want.
I just don’t see the internet as a place that can really be private or should be used for private things. Zero trust, and not caring about being advertised to is my approach, may not be the best, but the constant privacy panic is exhausting.
 
F

ForgottenSeer 58943

I have a couple recent events that illustrated why privacy can be important.

A friend was stalked, badly, by an internet stalker and it became really real, fast. Another guy I know, his company hired someone that basically after a few days knew a whole lot about everyone and sort of used that as leverage against them. I know at least one person that had some of their medical data compromised on a site where you share health/fitness and other data.

The more information out there the more someone can turn the screws on you. If they have nothing, they can do nothing. We can see what all of that data is doing over in China. We can also see examples of it here in the USA already. We can see corporations do this and utilize public domain intelligence to build profiles on potential candidates they interview. Governments aren't good stewards of data. Even if they have no actionable intelligence on someone in terms of activity, they are still holding that data and they've proved themselves unsuitable hosts for it.

I was surprised to find banks and credit card firms have extensive opt-out's you can partake in. Login to their portals and look for privacy toggles. If not toggled, they will share your data, including purchase history to questionable third parties. I was also surprised to find Costco shares shopper telemetry and purchase history with third parties, but you can open a chat with them and opt-out. There are many examples of this, but keeping it under control is far easier than reigning it in after losing it. Also, if you take a privacy position it will become second nature, like taking a shower or putting your shoes on, it's just something you do out of habit, day to day.

Remember, if a product/service reduces or eliminates logs they are essentially activating better privacy by default. For example Gryphon sends no logs unless you manually send them, therefore any interception of anything is quite irrelevant. Companies that choose to offer no or reduced logging are actually doing you a service. Companies that extensive telemetry are doing you a great disservice.
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
Well I would like to say I am surprised, but I am not. Avast has been doing this for a while now and unfortunately it doesn't seem like it will change anytime soon, if ever. @Umbra is right, they have so many users that they probably don't care if they loose 100 geeks. If anything, the only reason as to why they user base is has high as it is, is because they offer a free version. Most of these people don't care anyways because they are getting something for free. So unless they all of a sudden loose like 60%+ of their users, they will keep doing this.(n)
Agree totally, but we don't have to join the lemmings if others don't care one jot or don't know anything about limited privacy it's worth making some effect as most on here do. I abhor Avast & its associates – We may all have the flu but don't need pneumonia :D:D:D
 

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
According to Vlcek: Avast users have their Web activity harvested by the company’s browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual’s identity, such as a name in the URL, as when a Facebook user is logged in.
So we absolutely do not allow any advertisers or any third party ... to get any access through Avast or any data that would allow the third party to target that specific individual
Bulls**t 😂
But they would probably make some changes after this controversy.
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Unfortunately, yes. There are some privacy-conscious extensions out there like Malwarebytes or Emsisoft Browser Security. But a lot of them will literally just report every URL and website you visit to a server somewhere.
While I see this is a bit unfortunate; I have to guess if the full URL is sent, it doesn't attach identifiable information or a fingerprint, right? Because if it sents the URLs you visit, and who you are, more like security extension it sounds like malware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top