←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 2 comments | 15 Dec 17 13:47 UTC | HN request time: 0s | source
Show context
blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
vorpalhex ◴[15 Dec 17 16:37 UTC] No.15933001[source]
This is being added to the browser, outside the realm of security updates, through what is supposed to be a UX improvement program, for commercial purposes. It's written by a commercial company that produces advertisement content. It's not clear this code is audited.

Sorry, but I'm uninstalling firefox. They have broken the basic trust I have in them as a user to not push arbitrary code to my machine against my interests.

replies(3): >>15933127 #>>15933285 #>>15933317 #
zie ◴[15 Dec 17 17:20 UTC] No.15933317[source]
Have fun in Lynx. that's probably the only browser that wouldn't do something like this.

Well maybe Safari, not because Apple wouldn't, but because they just don't care enough about ad revenue.

Chrome: They leech everything they can get away with, granted it goes only to Google, but you know it's just to feed their never-ending ad-revenue goal.

MS: They bypassed IE only ads, and went on to build ads into the entire OS.

replies(7): >>15933412 #>>15933505 #>>15933911 #>>15934063 #>>15934341 #>>15934844 #>>15935952 #
geofft ◴[15 Dec 17 18:30 UTC] No.15933911[source]
I'm running Firefox via Debian, and I intend to continue running Firefox via Debian - I trust that the outcry in the Debian community would be so huge if the Firefox maintainer (or any other maintainer) allowed this sort of code from upstream through.
replies(1): >>15937429 #
1. zie ◴[16 Dec 17 03:48 UTC] No.15937429[source]
Well FF did just get caught with their pants down, installing a Mr.Robot (tv show tie-in) Add-on(extension) to FF users, without their consent. Since it was an Add-On that was pushed after a debian install, Debian devs wouldn't have been able catch it before it reached end-users.

That said, I still use FF, but I do make sure I keep all the opt-in telemetry and stuff off, since it was one of these settings that "let them" get away with installing the add-on without consent.

Granted the add-on by default didn't do anything unless you enabled it, but still.....

replies(1): >>15943596 #
2. geofft ◴[17 Dec 17 02:15 UTC] No.15943596[source]
The Debian package of Firefox is not supposed to pull any code directly from Mozilla - whether security updates, marketing tie-ins, updated SSL libraries, whatever. Like all Debian packages, code is supposed to go through Debian. The only Debian programs that are supposed to fetch code on their own are ones where you explicitly tell it to do so (e.g., you're running `pip install` or something).

So the only way this code would end up on my machine is one of two ways:

1. The Debian Firefox package is pulling code from Mozilla without the maintainer's review (which is definitely possible, given how complex Firefox is and how there's approximately one person packaging updates including timely security updates), which would of itself be seen as a serious problem

2. The Debian maintainer specifically picked up this code as part of the tarball from Mozilla, and shipped it without noticing (also definitely possible!) or decided it was worth including

For what it's worth, I do not have this plugin in about:addons, and Debian unstable hasn't picked up a Firefox update since December 1, so as far as I can tell the system is working properly.