The plug-in for Firefox, which downloaded about 7 million times, spied on users
And this is not an exaggeration. The plugin, which is called Ant Video Downloader and Player, existed for a long time in the Mozilla plugin directory. For all the time of his “life”, the plugin was downloaded more than 7 million times, and its users downloaded, who were tempted by the loud name of the plugin and the declared functions. However, it turned out that in addition to working in the video, the plug-in perfectly spies on users, and it does it even when private mode is enabled or even when using Tor and other similar services. By the way, the plugin has earned the maximum rating - five stars out of five possible. The number of downloads was 7 thousand per day.
After discovering the “dark side” of this plugin, network security experts raised the issue of the reality of providing sufficient security for Mozilla Firefox. The plugin itself worked by performing the functions declared by the developers, but at the same time it also sent the developers information about the visited sites and some other information. In addition, each log was tied to a specific user with the help of a special identifier, which the plugin assigned to a specific PC during installation.
This identifier is not so easy to get rid of, it remained the same, even if the plugin was demolished, and then put again. One can imagine how much information could be obtained about each of the users who downloaded the plugin by analyzing the logs. Naturally, the identity of the user, whose history of web visits is known, is established very simply. If you wish, you can “dig up” such compromising information on some figures, which will not seem to be so bad if the developers decided to open such information (in principle, it is still unknown where all this “leaked” and how the user data of millions of people are used).
')
By the way, the spyware component of this plugin was discovered by experts on May 10, however, it was removed today from the Ant Video Downloader and Player catalog.
Here is what was published by the person who discovered the “black” methods of the plug-in:
Ant.com servers responded as follows:
In general, there are no guarantees that any “white” plugin, which is now in the Mozilla catalog, is not the same spyware module as the plugin mentioned in this news.
Via theregister
After discovering the “dark side” of this plugin, network security experts raised the issue of the reality of providing sufficient security for Mozilla Firefox. The plugin itself worked by performing the functions declared by the developers, but at the same time it also sent the developers information about the visited sites and some other information. In addition, each log was tied to a specific user with the help of a special identifier, which the plugin assigned to a specific PC during installation.
This identifier is not so easy to get rid of, it remained the same, even if the plugin was demolished, and then put again. One can imagine how much information could be obtained about each of the users who downloaded the plugin by analyzing the logs. Naturally, the identity of the user, whose history of web visits is known, is established very simply. If you wish, you can “dig up” such compromising information on some figures, which will not seem to be so bad if the developers decided to open such information (in principle, it is still unknown where all this “leaked” and how the user data of millions of people are used).
')
By the way, the spyware component of this plugin was discovered by experts on May 10, however, it was removed today from the Ant Video Downloader and Player catalog.
Here is what was published by the person who discovered the “black” methods of the plug-in:
POST / HTTP/1.1
Host: rpc.ant.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 327
Cookie: __utma=1.1249745586.1303010447.1305056403.1305056954.3; __utmz=1.1303010447.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1305056954
X-Ant-UID: {0D908E35-A6A6-4326-B03A-CD8409A7FB79}
X-Ant-Agent: vdmoz-2.3.0-stable.linux-linux-i686
Pragma: no-cache
Cache-Control: no-cache
{"version":"1.0","id":1,"method":"rank","params":[{"url":"http://www.theregister.co.uk/","ref":"","uid":"{0D908E35-A6A6-4326-B03A-CD8409A7FB79}","uagent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17","lang":"en-us, en"}],"agent":"vdmoz-2.3.0-stable.linux-linux-i686"}HTTP/1.1 200 OKAnt.com servers responded as follows:
Content-Type: application/json
Content-Length: 50
Server: thin 1.2.7 codename No Hup
Connection: close
Date: Tue, 10 May 2011 20:19:09 GMT
{"version":"1.0","id":1,"code":0,"result":"4,086"}In general, there are no guarantees that any “white” plugin, which is now in the Mozilla catalog, is not the same spyware module as the plugin mentioned in this news.
Via theregister
Source: https://habr.com/ru/post/119796/
All Articles