14 DAY TRIAL // The add-on has been stripped of any privacy intrusion features and re-added to the Firefox Add-Ons Portal. See update below.
One of Mozilla's most popular extensions, Download Manager (S3) also known as S3 Download Manager, has been caught collecting user information and sending it to a remote server, fact which led to its removal from the Mozilla Add-Ons Portal.
Download Manager (S3) is one of Firefox's oldest add-ons, being used as an alternative to the browser's built-in download management tools.
The add-on works by listing all recent downloaded files on a horizontal bar at the bottom of the browser, allowing easy access to file download details like download URL, file location on disk, checksum, file rename functions, play or pause downloads, and so on.
The add-on spyware behavior is not activated by default
According to the developer that spotted the problems on Reddit, to blame is a recent add-on version which comes with an option to support the add-on creator by showing advertisements on various Web pages.
If the user agrees, the add-on will begin its spying behavior and start collecting data on the user's activity, sending it to icontent.us, a Web service dedicated to providing analytics for Chrome extensions and Firefox add-ons. This data is then used to deliver targeted ads to users, based on the user's interests.
The problem relies on the fact that the Download Manager (S3) add-on is collecting the whole HTML contents of the pages to which the user navigates to, which may hold sensitive user information, as some of these pages appear after users log in into their accounts (banking pages, Facebook accounts, Gmail inboxes, etc. see Mr. Popov's response at the end of the article) .
Add-on was removed from Mozilla's Add-Ons Portal
One of Mozilla's engineers was informed of this issue, confirmed the spying behavior, and had the add-on removed from Mozilla's Add-Ons Portal in about 10 hours after being reported.
On the Mozilla forums, the add-on author, Alexander Popov (Oleksandr), explained the behavior as the following: "If user consent is given, this add-on will show advertising on web pages. In that case, the user's browsing history can be accessed by a third party (ad network). This behavior does not extend to Private Browsing mode. ADVERTISEMENT DISABLED BY DEFAULT!"
Before being removed, the add-on's page on the Mozilla portal showed that around 117,000 users have installed and were using the plugin. If you've lost your trust for this developer and add-on, similar functionality is provided by the Download Status Bar add-on.
We have contacted both Mozilla and Mr. Popov for further comments.
UPDATE 1: Mr. Popov has answered our email. You can see his response in the image below.
UPDATE 2: Dan Callahan, engineer in Developer Relations at Mozilla, has told Softpedia that their staff contacted Mr. Popov, but he has yet to respond them. He further said they've also checked the developer's other plugins and that, besides Download Manager (S3), another add-on was found to have a similar behavior and was also removed from the add-ons portal. If Mr. Popov removes the user privacy intrusive behavior from his add-on's code, Mr. Callahan said that the Mozilla staff won't have any issues with relisting the add-ons on their portal.
UPDATE 3: Mr. Popov was in touch with the advertising network, and has received the following answer:
“Sending the content of the site was needed in order to make the in-text advertisement work. At no point of time we were planning to spy on someone or steal info. The html code itself was sent to our cloud servers in order to decrease load on a user’s end. Once content was received, our algorithm analyzed and picked up certain phrases and inserted in text lines on original websites. After analysis all info was deleted from our cloud and never used later on. Nevertheless, in order to follow the needs of Oleksandr Popov and the requirements of FireFox AMO, and also in order to avoid this problem for other partners, the following feature was turned off for now. In the nearest future the tool would be changed so, that most operations would be done on client side.”
Additionally, Mr. Popov also told Softpedia: "From my side I would like to add, that I was a bit confused with such a behavior of users using my app for such a long time, and I do understand that the fear and suspiciousness of several users, has led to the fact that 100k+ users were not able to use add-on they like and need. On other hand I do understand that nowadays people are really afraid that personal information might be stolen. Having these thoughts I have contacted advertising company and the following feature was turned off so that the whole html won’t be sent anywhere any longer."
"Fortunately all misunderstandings were solved, my add-on is active again and ready to be installed and used by users," also added Mr. Popov.
