Package: webext-bulk-media-downloader Version: 0.2.1-3 Severity: normal Usertags: privacy
When I start Firefox with a new profile, the extension opens a tab that submits an unencrypted HTTP GET request to add0n.com with the add-on name and version number, example URL below. This is a privacy issue unless the user also uses the -offline option when starting Firefox. The correct solution is either to ship the information to be conveyed to the user with the package itself (like Privacy Badger does) or to ask the user if they would like to load the remote page (only for information that must be updated separately to the package). Looking at the source code, it also loads the add0n.com website when the add-on is upgraded or removed (URLs below). $ firefox -profile $(mktemp -d tmp-firefox-profile-XXXXXXXXXX) http://add0n.com/media-tools.html?version=0.2.1&type=install http://add0n.com/media-tools.html?version=0.2.1&type=upgrade http://add0n.com/feedback.html?name=Bulk%20Media%20Downloader&version=0.2.1 -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) webext-bulk-media-downloader depends on no packages. Versions of packages webext-bulk-media-downloader recommends: ii firefox 62.0-1 webext-bulk-media-downloader suggests no packages. -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
