I've reported these and several other extensions again every time they were updated in great technical detail and through various official channels, but stopped bothering when about a year and several extension updates later nothing had changed.
If you still happen to have the technical detail you sent off somewhere, that seems like it would be a great reference for starting to learn what to look for. Hell I'm sure HN would appreciate it as a submission (assuming it actually gets eyes and doesn't die in new)
I hadn't really cared about this topic, because it adds yet more cognitive overhead and I was relying on mozilla to care. Seems this faith was misplaced.
Seems like I didn't keep it around, but it amounted to a description of the violation, some reproduction steps where applicable, and essentially a stacktrace for the offending code in the distributed extension package (xpi) and in the source code when publicly available.
As for the extensions I listed in my older comment, as far as I remember:
- Even though the extension policy explicitly and unconditionally forbids it, they were all sending some form of telemetry to either Google or Sentry without so much as a mention or let alone having provided any sort of opt-out controls.
- Some would load and run external scripts at runtime (not limited to "just" Google Analytics/Tags stuff), none of which appeared to be nefarious in nature - when I checked them over after downloading them directly, that is. Obviously, as is the whole point behind not allowing them, the external script could simply be swapped out for something else one day, or a different one could be served depending on whether it was requested by the extension.
- One of them would occasionally advertise the author's other extensions when new or updated, either with a weird in-page popup notification or a video announcement on YouTube, which it would hijack the current tab or create and focus a new one for to show.
- Tracking parameters would be added to outgoing links by several extensions, including ones to third parties which I guess were partners/affiliates which is also forbidden.
Tangent: Funny thing is that even Firefox itself ignores a disabled "Allow Firefox to send technical and interaction data to Mozilla" setting by tacking on parameters to all of the preinstalled search engine providers' results pages, and all external pages the browser provides links to such as documentation, legal, support, and other Mozilla product pages. Perhaps no PII, but interaction data is interaction data and no is no.
Of course this isn't all, and there are more offenders besides those extensions I listed before. Just downloading the extension (from the extension page, easiest to use a different browser and "save as" since Firefox will ask to install), unpacking the XPI archive, and grepping for common telemetry service names/collection endpoints or suspicious terms like "promo" or "utm" will do it in most cases (Mozilla extension review team should try it sometime). Although let me know if you want some more pointers or details on specific extensions.
- One of them would occasionally advertise the author's other extensions when new or updated, either with a weird in-page popup notification or a video announcement on YouTube, which it would hijack the current tab or create and focus a new one for to show.
Looks like pocket tube, I see, "https://p.yousub.info/referral" mentions in the extension. I can fully comprehend Giphy's tracking code, but pocket tube's eludes me.
I have started a Github repo to try and report to report them, but I only have time for Giphy for now. [1] Plus I have not done this sort of thing before. Any pointers are very appreciated.
