Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)

757 points shak77 | 4 comments | 15 Dec 17 13:47 UTC | HN request time: 0.001s | source

Show context

blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]▶

Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #

kryptiskt ◴[15 Dec 17 17:58 UTC] No.15933656[source]▶

>>15932880 #

The major problem is that they installed an add-on without properly communicating what it was. A somewhat smaller problem but still a big problem is that was an utterly frivolous add-on that shouldn't have been pushed to people who didn't explicitly want it. But the biggest problem is that Mozilla seems to have trouble understanding why any of those two would be a problem, I want my browser vendor to be serious and not play silly games that can so easily backfire.

Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.

replies(7): >>15933923 #>>15934093 #>>15934185 #>>15934482 #>>15934861 #>>15934910 #>>15935508 #

kryptiskt ◴[15 Dec 17 21:49 UTC] No.15935508[source]▶

>>15933656 #

So this is the first response from Mozilla in the Gizmodo article:

“Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users. It’s especially important to call out that this collaboration does not compromise our principles or values regarding privacy. The experience does not collect or share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said in a statement to Gizmodo. “The experience was kept under wraps to be introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot fans a unique mystery to solve to deepen their connection and engagement with the show and is only available in Firefox.”

This is horrible. They pushed out this crap under false pretenses as a study and obfuscated it. Don't talk the ethics talk if you're not prepared to do the ethics walk.

replies(4): >>15935755 #>>15935963 #>>15938255 #>>15940019 #

1. acqq ◴[15 Dec 17 22:58 UTC] No.15935963[source]▶

>>15935508 #

> Don't talk the ethics talk if you're not prepared to do the ethics walk.

Exactly.

> "The experience does not collect or share any data," Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said

Looking in the sources of the extension, it adds additional HTML header to every HTML request to https://www.red-wheelbarrow.com/forkids/ pages. The activity of the users there could of course be tracked and the data dependent on the extension being active collected. Good try Mr. marketing officer of Mozilla delivering Mr. Robot ad using the mechanism for the "studies."

> "Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users."

Obviously fail. Surprise, yes. Delight? No.

replies(1): >>15936599 #

2. callahad ◴[16 Dec 17 00:46 UTC] No.15936599[source]▶

>>15935963 (TP) #

The add-on only initializes itself (and thus sends the header) if the user has manually gone into about:config and flipped the `extensions.pug.lookingglass` preference: https://github.com/gregglind/addon-wr/blob/59659431fd2a75c33...

replies(1): >>15936613 #

3. acqq ◴[16 Dec 17 00:49 UTC] No.15936613[source]▶

>>15936599 #

It was obviously not complete in the form it was delivered, the "turning on" was supposed to be added somewhere at some later moment.

The whole thing is still suspicious: it was delivered to everybody whereas if it was supposed to be used only by the users who are aware of it, as now Mozilla tries to spin it, i.e. only to those who decided to "play the game", then the hidden install, especially to every user, was unnecessary as the normal extensions to Firefox are easily installed by the user, a click or two are enough:

https://addons.mozilla.org/en-US/firefox/addon/tabby-cat-fri...

replies(1): >>15940204 #

4. acqq ◴[16 Dec 17 16:29 UTC] No.15940204{3}[source]▶

>>15936613 #

The proof of the planned data collection, confirming my previous claims, found declared in the source of the extension itself:

"## Observed data

- Possible page view counts on SUMO

- Possible page view counts (with and without the special 'enrolled' header) on Partner pages."

I've also already explained the "special 'enrolled' header."

The turning on was obviously either planned for some special moment, which wasn't the moment of that the extension was actually delivered, or the extension was accidentally delivered in the unfinished state -- doesn't matter, it provably didn't get enough scrutiny, see my other comments here for the details, the damage it actually done is regarding "tracking" less than planned, but regarding annoyance of their users probably more.

↑