Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?

Posted on by Wladimir Palant

A month ago I wrote about Avast browser extensions being essentially spyware. While this article only names Avast Online Security and AVG Online Security extensions, the browser extensions Avast SafePrice and AVG SafePrice show the same behavior: they upload detailed browsing profiles of their users to uib.ff.avast.com. The amount of data collected here exceeds by far what would be considered necessary or appropriate even for the security extensions, for the shopping helpers this functionality isn’t justifiable at all.

Avast watching you while browsing the web

After I published my article I got the hint to look at Jumpshot, a company acquired by Avast in 2013. And indeed, that suddenly made perfect sense. On their website, Jumpshot praises its “clickstream data” product:

Incredibly detailed clickstream data from 100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain.

That sounds exactly like the data that Avast collects from their SafePrice and Online Security users. Yes, you are the product – even if you paid for that antivirus.

Spying on your users is clearly a violation of the terms that both Google and Mozilla make extension developers sign. So yesterday I reported these four extensions to Mozilla and Google. Mozilla immediately disabled the extension listings, so that these extensions can no longer be found on the Mozilla Add-ons site. Mozilla didn’t blacklist the extensions however, stating that they are still talking to Avast. So for existing users these extensions will still be active and continue spying on the users.

Update (2019-12-04): I also reported these extensions to Opera. 16 hours later I received a response from Opera:

Thanks for reporting it to us. We unpublished these extensions from our store.

And what about Google? Google Chrome is where the overwhelming majority of these users are. The only official way to report an extension here is the “report abuse” link. I used that one of course, but previous experience shows that it never has any effect. Extensions have only ever been removed from the Chrome Web Store after considerable news coverage. Or does anybody have a contact at Google who would be able to help?

Update (2019-12-03): This article initially stated incorrectly that Google removed these extensions as well. This isn’t currently the case, somehow I didn’t look them up correctly.

Comments

  1. Dave

    Thanks!

  2. Michael Fever

    Nice work! The web needs more people like you!

  3. Hunter Lewis

    To quote ZDnet "We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements," the Avast spokesperson said. "These will be available as usual on the Mozilla store in the near future."

    Amazing how they got caught, and think its perfectly OK to breach a contract and steal data from their clients.

    Reply from Wladimir Palant:

    Yes, I've seen their statements, and I wonder what their accepted solution is going to look like. Also whether they update the Chrome extension given that Google doesn't seem interested in taking action.

    That said, these statements aren't true of course. First of all, Mozilla's policies haven't seen any changes in years that would have been relevant here. Second, they collect far more data than necessary for the functionality and they know it. I've looked at Microsoft's Windows Defender Browser Protection browser extension today, that one only sends the hostname and path, no parameters and no context information. Microsoft also has a problematic instanceID parameter, but at least that one changes daily - it's not a persistent user identifier. Never mind having the exact same functionality in a shopping helper.

    But what else would one expect? Avast has already been caught four years ago, yet they somehow got away with claiming that they fixed the issue and simply continuing.

  4. Hunter Lewis

    Either way Thank you for the hard work you put into this, keep up the good job.

  5. jimmy michael

    Thanks, i'm sharing this on Twitter

  6. George Hudson

    I'm curious about what's happening with the Honey extension too. I recently was browsing macy's and noticed they started sending my email address back to their mothership...

  7. Bob

    Thanks for highlighting this. Avast are indeed collecting this data and re-selling it via Jumpshot, but they claim they have users consent to do this and that’s why they can to re-sell it. I’ve seen this data and it is incredibly granular. Data fields include a timestamp (to “millisecond precision”) as well as device ID, browser type and platform, full URL (which occasionally includes information like postcode, car registration, phone number etc), details of any searches undertaken while on that URL and derived location (from the IP). URLs can include visits to health websites, porn viewing etc. Everything that browser has looked at or searched for online. This data is sold to 3rd parties.

    Reply from Wladimir Palant:

    I'd doubt the "have user consent" part. The application indeed asks users about data collection when it is first installed. However, the browser extensions simply ignore this setting (yes, they know application settings and actually consider a bunch of them).

Comment

Enter your comment below.


Only if you want to be notified about my reply.


You can use Markdown syntax here.

By submitting your comment, you agree to your comment being published here under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License.