Mozilla removed today four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories.
The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice.
The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons.
Extensions caught snooping in October
Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension.
Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work — including detailed user browsing history, a practice prohibited by both Mozilla and Google.
He published a blog post on October 28, detailing his findings, but in a blog post dated today, he said he also found the same behavior in the Avast and AVG SafePrice extensions as well.
Seeing that his original blog post didn’t get the traction he hoped, and neither browser maker intervened to take down the extensions on their own accord, Palant said he reported the extensions to Mozilla developers yesterday, hoping that the organization would take action — which, it did, removing all four add-ons within 24 hours.
Extensions still available on Chrome Web Store
Unfortunately, the four extensions are still available on the Chrome Web Store [1, 2, 3, 4], according to Palant.
“The only official way to report an extension here is the ‘report abuse’ link,” he said. “I used that one of course, but previous experience shows that it never has any effect.
“Extensions have only ever been removed from the Chrome Web Store after considerable news coverage,” he added.
However, Google is expected to remove the four extensions, as the browser maker has historically cracked down on extensions that collect user browsing records.
For example, in July 2018, Google staff temporarily removed the Stylish extension until it removed the code that harvested users’ web browsing history.