The Firefox extensions built by Avast have been pulled from the open-source browser's online add-on store over privacy fears.
Adblock Plus founder Wladimir Palant confirmed this week Mozilla has taken down the Avast Online Security and Avast-owned AVG Online Security extensions he reported to the browser maker, claiming the code was snooping on users' web surfing.
The problem, as Palant has been documenting on his blog for some time, is that the extensions – which offer to do things like prevent malware infections and phishing – go well beyond their needed level of access to user information to do their advertised functions.
According to Palant, the Avast extensions, when installed in your browser, track the URL and title of every webpage you visit, and how you got to that page, along with a per-user identifier and details about your operating system and browser version, plus other metadata, and then transmit all that info back to Avast's backend servers. The user identifier is not always sent, according to Palant: it may not be disclosed if you have Avast Antivirus installed.
The rub seems to be that Avast says it needs this personal data to detect dodgy and fraudulent websites, while Palant argued the company goes too far and wanders into spyware territory. While Avast's explanation is plausible, there are much better and safer ways to check visited pages for nastiness, typically involving cryptographic hashes of URLs, than firing off all visited web addresses to an Avast server, we note.
Palant also pointed out that the Avast SafePrice and AVG SafePrice extensions of similarly harvesting people's information: SafePrice checks you're getting a good deal when shopping online.
AVG bought a company called Jumpshot in 2013, three years before AVG was acquired by Avast, that touts "clickstream data" that includes "100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain" – which sounds a lot like the data the Avast and AVG extensions collect.
It's not a great look for the security outfit: harvesting people's information and selling it. Above all, Avast has fallen foul of Mozilla's recently updated rules for extensions on privacy, and so, its add-ons were kicked out of the Firefox store.
"The amount of data collected here exceeds by far what would be considered necessary or appropriate even for the security extensions, for the shopping helpers this functionality isn’t justifiable at all," Palant argued.
Banned but not disabled
While the extensions are no longer accessible from the official Firefox add-on service, they still work with the browser, so those currently using the extensions will still be able to do so.
Avast acknowledged the take-down, and told The Register it was working with Mozilla on a resolution.
"We have offered our Avast Online Security and SafePrice browser extensions for many years through the Mozilla store," an Avast spinner told us. "Mozilla has recently updated its store policy and we are liaising with them in order to make the necessary adjustments to our extensions to align with new requirements.
"The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks. It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user's identification."
There seems to be some confusion over that last part: Avast says it doesn't collect user identifiers, yet according to Palant, the extensions may generate a per-user identifier code, called
userid, that's sent with each URL.
Palant, meanwhile, is now hoping to convince Google to follow Mozilla's lead and block the Avast add-ons for Chrome and Opera users.
"Google Chrome is where the overwhelming majority of these users are," the programmer noted. "The only official way to report an extension here is the 'report abuse' link. I used that one of course, but previous experience shows that it never has any effect." ®