crvtck.com-Tracker in "Screengrab!".

Anything to do with the Pale Moon add-ons website. (addons.palemoon.org)
Not for questions about add-ons themselves!
Forum rules
Important: This board is for specifics regarding the add-ons website (addons.palemoon.org) and not to report extension compatibility issues or discuss different extensions.
Please only post here when your topic is directly related to the add-ons website service so our moderators don't have to move your posts all the time...
dreieck

crvtck.com-Tracker in "Screengrab!".

Unread post by dreieck » 2018-06-02, 18:15

On http://addons.palemoon.org/incompatible/, the Firefox addon "Screengrab!" is listed as incompativle with Pale Moon, and it is advised to use version 0.99.12.

However, this addon contains a tracker:

When the addon is enabled, whenever I visit a new domain (or revisit an
old one after some time), this is logged to crvtck.com, possibly
containing other data.

I see HTTP requests of the form

Code: Select all

https://crvtck.com/get?key=<key>&out=https://kauflandstiftung.demdex.net&ref=https://www.kaufland.de&uid=o256&format=txt
<key> is a hex string with 32 characters.

If the addon is disabled, those requests are not sent out.

So I strongly advise to place a fat warning to the "Screengrab!" entry at http://addons.palemoon.org/incompatible/.

Tested with Screengrab! version 0.99.12 in Pale Moon 27.9.2 (custom build).

(Same with S3.Google translator, by the way.)

fillerup

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by fillerup » 2018-06-02, 20:59

concerning. can you check whether the author's other popular extensions do the same thing

e.g. Menu Wizard https://addons.mozilla.org/en-US/firefo ... enu-wizard

Forecastfox https://addons.mozilla.org/en-US/firefo ... /versions/

dreieck

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by dreieck » 2018-06-03, 07:54

concerning. can you check whether the author's other popular extensions do the same thing

e.g. Menu Wizard https://addons.mozilla.org/en-US/firefo ... enu-wizard

Forecastfox https://addons.mozilla.org/en-US/firefo ... /versions/
Sorry, I don't have the capacity to test all this.

I noticed that WWWOFFLE (I am using this local proxy sometimes) sometimes requested those websites when I was fetching things requested in offline mode. And then I used WWWOFFLE with log level 4 to monitor the requests the browser sends out through the proxy, in order to identify what is causing this, end ended up with this two addons.

In the request to 'crvtck.com' I gave as example, the 'kaufland'-URL is a URL I actively visited, and it is sending what I visit and where I come from to visit this (if I open a new empty tab and type an URL there, google.com is used as referer).

fillerup

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by fillerup » 2018-06-03, 08:05

dreieck wrote:I noticed that WWWOFFLE (I am using this local proxy sometimes) sometimes requested those websites when I was fetching things requested in offline mode. And then I used WWWOFFLE with log level 4 to monitor the requests the browser sends out through the proxy, in order to identify what is causing this, end ended up with this two addons.

In the request to 'crvtck.com' I gave as example, the 'kaufland'-URL is a URL I actively visited, and it is sending what I visit and where I come from to visit this (if I open a new empty tab and type an URL there, google.com is used as referer).
no problem, thank you for the report. i have added the domain in question to both my ublock origin and HOST file (though the former should be sufficient in this case, correct me if i'm wrong)

dreieck

Also to discount.s3blog.org -- Re: crvtck.com-Tracker in "Screengrab!".

Unread post by dreieck » 2018-06-03, 10:23

.. I also notice POST requests to discount.s3blog.org:

Code: Select all

http://discount.s3blog.org/addon.html?!POST:<string>

peanup buttah

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by peanup buttah » 2018-07-10, 02:05

Is it doing it even if "Advertising is disabled" under the Advertisement tab in the add-on's settings?

Confirmed by the Wayback Machine that the add-on had a privacy policy on addons.mozilla.org at the time of 0.99.12's release, which stated the following:
If user consent is given, this add-on will show advertising on web pages.
In that case, the user's browsing history can be accessed by a third party (ad network).

But we don't collect cookies, password, e-mails or any other confidential info.
Only the domains (not full URLs) of the web-sites visited and nothing else.
That same privacy policy is still there even though advertising is apparently removed from recent versions, as there's no longer a setting for it (although the situation is a bit murky as the author had also said on the Mozillazine forums that "advertising is present, but for a certain number of users"). Perhaps the policy remains there to cover those 'certain users' and/or earlier versions that are still available for download.

There's a pretty serious issue with consent though, at least for 0.99.12. I just installed it on a fresh Firefox 52 ESR profile, and it has "Advertising is enabled" set by default, without anything having popped up to draw the user's attention to the privacy policy and ask if they agree to it.

peanup buttah

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by peanup buttah » 2018-07-10, 04:55

Just a followup to my earlier (yet to be approved) post. I've been using Firefox's HTTP logging and observed the same POST requests to discount.s3blog.org (the logging doesn't show their content) and seemingly corresponding GET requests to crvtck.com in the same format as dreieck posted. The add-on's source contains no reference to crvtck.com, so I'm guessing the s3blog.org requests redirect there.

Regarding the lack of consent, this tab did 'randomly' appear during a subsequent browser session. However, the advertising/tracking was in effect before this screen, and even after clicking the option to decline, it was still enabled and remained so after a browser restart. After positively disabling it in the settings, the s3blog.org and crvtck.com requests did stop, so 0.99.12 does at least appear to respect the setting.

Perhaps most worringly, I'm seeing the s3blog.org and crvtck.com requests in a clean-profile test using the current version of ScreenGrab! on the current version of Firefox, but I suppose that's a bit off-topic here and will have to be raised elsewhere.

dreieck

Re: crvtck.com-Tracker in "Screengrab!".

Unread post by dreieck » 2018-07-16, 09:45

Thank peanup buttah for your investigations.
peanup buttah wrote:Is it doing it even if "Advertising is disabled" under the Advertisement tab in the add-on's settings?
Oh, I just found that there is a setting for this. I ususally go through all settings upon installation of a new addon, but why have I not noticed this?
On upgrade I do not search all the settings if there is anything new.

I disabled it now. It seems that the requests are not anymore placed then.
peanup buttah wrote:Just a followup to my earlier (yet to be approved) post. I've been using Firefox's HTTP logging and observed the same POST requests to discount.s3blog.org (the logging doesn't show their content) and seemingly corresponding GET requests to crvtck.com in the same format as dreieck posted. The add-on's source contains no reference to crvtck.com, so I'm guessing the s3blog.org requests redirect there.
I think so, too, since if I block s3blog.org on my local machine so that requests to s3blog.org fail, I do not see requests to crvtck.com.

Locked