AMO moving into the right direction

Thanks to morgamic for telling me this, I probably wouldn’t have noticed otherwise — Addons.Mozilla.Org has made an important move towards raising the quality bar. The autogenerated spyware-infested Conduit-based toolbars have been disabled, all 93 of them. Any new submissions will be automatically rejected. Way to go, AMO!

Mike Shaver writes:

Shortly, all Conduit-based toolbars on the Mozilla Add-ons site ( will be disabled, as Mozilla has determined that they are not appropriate for hosting on AMO. Authors of existing add-ons will receive email notifications of the disabling, and future submissions of Conduit will be denied by our reviewers.

Thanks, Mike! That’s 93 security holes less.


  • IceDogg

    Great news! Keep up the good work.

  • Marsh

    You call that moving in the right direction?
    I don’t personally use Conduit as an author but I have installed a few of their toolbars. If you dig a bit deeper into the issues you’ll see that Conduit DOES NOT include spyware. The toolbar does send anonymous usage statistics (check with a network sniffer) but many applications do nowadays and most modern websites collection much more information about you than a Conduit toolbar. Any site that uses Google Analytics is MUCH more of an invasion of your privacy than a Conduit toolbar.
    With this step Mozilla is starting to behave like they’re the Internet’s police officer. The next step will be for them to remove extensions like AdBlock just because it harms their revenues. What ever happened to ecosystems where USERS determine what they want, not what big brother wants? Who gave Mozilla (or Mike Shaver) the right to govern what extensions are good enough for users?
    If users do not want to install extensions from Conduit, fine. But if users have chosen to install and use specific extensions (some of the Conduit extensions have received hundreds of thousands of downloads on AMO) why should Mozilla suddenly determine that these extensions are not good enough?
    I’m personally very worried about this step. How can I now trust Mozilla not to “hide” content from me? If Mozilla continues to behave like this how can we be sure that the next step won’t be for them to block some content from appearing in the browser? Maybe somebody in Mozilla will suddenly decide that adult web sites are not fit for Firefox users and start blocking them automatically?
    What Mozilla should have done is create some kind of sandbox where all extensions can be found. Popular extensions in the sandbox (where users determine what’s popular) will be promoted to the general public. This model has been proven to work on the Internet (it’s very similar to Digg) and creates an ecosystem where users can freely access all content without restriction but the general public is only exposed to the cream of the crop (protecting the general public from “bad” content).
    This step Mozilla has taken should actually make you worry about your freedom on the Internet…

    Wladimir Palant

    There must be some misunderstanding. These extensions are no longer listed on AMO, that doesn’t mean that they cannot be promoted anywhere else. There are quite a few extensions that you cannot find on AMO (like LiveHTTPHeaders or Aardvark) and there are quite a few other resources where you can download Firefox extensions (like The Extensions Mirror). On the other hand, when AMO provides you the platform to promote your extension, they set the rules. You can find it undemocratic but you have to accept this or find yourself another hosting platform. And if AMO decides that hosting an extension that provides minimal functionality to hide a totally unrelated secondary function is not in the best interest of their users – it is their full right to remove this extension. After all, AMO has a responsibility towards their users. You can try to submit a spyware application on or any similar site and you will soon notice that all of them have protection mechanisms in place.

    The important point really is this non-obvious secondary function. Every toolbar is promoted by its features, the spyware function is well-hidden. Therefore it is very much a concern, no matter what data is transmitted – this extension shouldn’t transmit any data at all. Download numbers don’t matter, if you manage to trick users into downloading spyware it doesn’t automatically mean that spyware is good. Maybe you noticed, there has been a long discussion about whether these toolbars should be allowed on AMO. For some time the solution has been to require these extensions to show users a privacy policy – but you should know that most users ignore those, especially the unexperienced users these toolbars are targeted to. So AMO was finally convinced that this issue needed a better solution (it is in particular Mike Shaver who needed lots of convincing).

    I find this a very important step since users tend to trust anything that is offered on AMO and so far AMO didn’t perform too well dealing with this trust. In the article I linked I mentioned security vulnerabilities that I found in many extensions, one of the most interesting finds was a wide open hole in all Conduit toolbars that allowed any web site to easily take over your computer. Given that this vulnerability was very obviously introduced intentionally Conduit will have a hard time explaining it. I hope that this find was one of the reasons for AMO to finally change their policy.

    And while your analogy with browsing porn sites is deeply flawed, there is something true about it. If one follows your arguments, phishing sites are justified as long as there are users visiting them. Thankfully Mozilla didn’t agree and phishing protection is now built into Firefox. You can make a stand for phishing sites and against censorship but I think you will be vastly outnumbered.

    By the way, AMO does in fact plan to improve their review process by introducing a “sandbox”: However, there will still be a review necessary before an extension gets into the “public” area and one main purpose of this review is to make sure that the extension doesn’t expose users to any hidden risks. Popularity doesn’t show it, only few users dissect an extension before installing it.

  • No Just Us for Peace

    Next on the chopping block should be extensions that insert affiliate codes without FIRST explaining honestly that the extension does this AND requiring the user to OPT-in to this nefarious behavior.

    That kind of nonsense qualifies some extensions as malware! AMO should not tolerate tangentially-malware or other sneakiness.

    Wladimir Palant

    AMO doesn’t tolerate this – if you find an extension that does it you should report it.

  • Nicki

    Hooray for the AMO dev crew! :D

    Seriously, they have done a fabulous job updating the AMO site/interface. I’m very proud of them. :)

  • Carnage

    Here is something nasty that conduit does.

    pref(“ ags”, 9);

    “turns absolutely everything on and makes everything scriptable—even those ActiveX controls flagged as “do not script me“—set these preferences:”

    Wladimir Palant

    That’s very ugly. Does it also install the ActiveX control? But last I checked Conduit didn’t even fix the huge backdoor that I reported – you don’t need ActiveX to “0wn” user’s computer if he has a Conduit toolbar installed.

  • Guy

    We just ran into that last comment and checked up on the ‘pref(“ ags”, 9)’ issue.

    This is what we discovered:
    The code in the file “active.js” is not executed, because the ‘pref’ function is not defined.
    That file was removed from version and up, since it was not in use.

    What “huge backdoor that I reported” are you referring to?

    This is a very serious allegation since it is of the utmost importance for us to make sure that our toolbars are safe to install and use (our business depends on it). If you know of any existing problem please let us about it ASAP.

    Wladimir Palant

    I checked out soonerscoop toolbar to verify – the backdoor is still there and allows any website to execute code with user’s privileges. I reported that issue to Conduit and got a mail from Dror Erez asking for details – I replied it on 14 Jun 2007 16:33:53 +0200 with a testcase. That testcase still works, it checks the cookies the user has in his browser (it could do far more of course), so I don’t feel comfortable publishing it.

  • Guy

    Please send us the test case that you have to so that we can address it asap.

    Wladimir Palant

    That’s what I did the first time already (and before that I reported the issue to Mozilla who forwarded my report to Conduit). Still waiting for my US$5000 reward. Sure your contact page isn’t a black hole any more? Ok, will try again…

    Wladimir Palant

    Sent yet another mail through that web page…