The beginning

A very suspicious-looking add-on that was hidden in the debug

It’s been a quiet evening, and I’ve been digging into my Nokia 8110, playing around with WebIDE — an IDE embedded into Firefox that is required in order to make application for KaiOS, which Nokia 8110 happens to run. For some reason I had to go to my add-ons page, where all the add-ons are displayed — from Mozilla’s own ADB Bridge to interact with Android to my favority Ad-blocker. But this time I had to go further and open the “Debug add-ons” page, and there I saw two add-ons not listed anywhere else — fxmonitor@mozilla.org.xpi and telemetry-coverage-bug1487578@mozilla.org.

The name suggested that these add-ons has to do something with telemetry, but I’ve remembered that I explicitly turned all the telemetry off.

The privacy option of my Firefox stated that all the telemetry is turned off

This was true, yet two obviously telemetry-related add-ons had been installed into my browser without me even knowing about them, and I had to investigate.

The reveal

The culprit had been found fast — Mozilla wanted to collect data on how many users have opted-out of telemetry, so it decided silently install tracking add-ons into everyone’s browsers to know who dared opting-out.

The déjà vu

The situation heavily reminded me of a very similar situation wit thee Looking Glass extension, that also got installed silently and without use consent, but made no attempts at concealing itself from the user, and asked if it should be enabled on the fist start. One of the reviews from its page reads:

Oh great, and to think I was using firefox to avoid adware. At least chrome asks for permission. Mozilla stealth installing unwantedware… What’s the next step? Installing the extensions without user knowledge (and without agreement) and omitting it from the list? Or maybe bundling blobs in the binaries itself? Well, looks like it is time for a browser upgrade.

It looks like that’s exactly what is happening now — this time the telemetry extension made clear effort to hide its activity by only showing up on a debug page and never asking anything from the user — quite on the contrary, it does exactly what had been explicitly told not to do to the browser by turning off opt-out telemetry.

When the LookingGlass fiasco blew over Mozilla, they’ve made a very reassuring apology:

We’re sorry for the confusion and for letting down members of our community. While there was no intention or mechanism to collect or share your data or private information and The Looking Glass was an opt-in and user activated promotion, we should have given users the choice to install this add-on.

However, today it had been proven that installing add-ons without giving users a choice is not a problem for Mozilla, and they are willing to do it over and over.