by Martin Brinkmann on December 03, 2019 in Firefox –
1 comment
If you search for Avast or AVG on the official Mozilla Add-ons website, you may notice that no results by these companies are returned. Neither Avast Online Security or SafePrice, nor AVG Online Security or SafePrice, are returned by the Store currently even though these extensions exist.
It appears that Mozilla removed these extensions from its Store. When you try to open one of the Store URLs of Avast or AVG extensions you get a “Oops! We can’t find that page” error message.
The extensions are not blacklisted by Mozilla. Blacklisted extensions are put on a blocklist — which is publicly available here — and removed from user browsers as a consequence.
Avast and AVG extensions have been removed but are not blocked which means that the extensions remain installed in Firefox browsers for the time being.
Mozilla added several dozen extensions for Firefox to the blocklist on December 2, 2019 which collected user data without disclosure or consent, but Avast’s extensions are not on the list.
What happened?
Wladimir Palant, creator of AdBlock Plus, published an analysis of Avast extensions in late October 2018 on his personal site. He discovered that Avast’s extension transmitted data to Avast that provided Avast with browsing history information. The data that the extension submits exceeded what is necessary to function according to Palant.
The extensions include the full address of the page, the page title, referer, and other data in the request. Data is submitted when pages are opened but also when tabs are switched. On search pages, every single link on the page is submitted as well.
The data collected here goes far beyond merely exposing the sites that you visit and your search history. Tracking tab and window identifiers as well as your actions allows Avast to create a nearly precise reconstruction of your browsing behavior: how many tabs do you have open, what websites do you visit and when, how much time do you spend reading/watching the contents, what do you click there and when do you switch to another tab. All that is connected to a number of attributes allowing Avast to recognize you reliably, even a unique user identifier.
Palant concluded that the collecting of data was not an oversight. The company states in its privacy policy that it uses anonymized Clickstream Data for “cross-product direct marketing, cross-product development, and third-party trend analytics.
Mozilla is in talks with Avast currently according to Wladimir Palant. Possible scenarios are that Mozilla will add the extensions to the blocklist that it maintains or will request that Avast makes changes to the extensions before they are reinstated.
The extensions are still available for Google Chrome at the time of writing.