Rated 1 out of 5 stars

by bugblatter on Dec. 23, 2013 ·

I had been using this addon for many years as it was very useful. It hadn't been updated in a long time, but it still worked. At some point, it was taken over from the original author and modified to send back the urls of websites I had visited (spyware). Firefox automatically updated my copy to this new version, and I never noticed for months. I came upon a few negative reviews here by accident and decided to look at the code to investigate. It was there unfortunately, and I found a url it had saved as well. I promptly uninstalled it from both Firefox and Thunderbird. Who knows what they did with that data? There are newer versions now which may have 'fixed' this, but I don't want to try them - why bother when trust is gone?

I googled around, and it seems like this is a thing, where a company takes over old or abandoned extensions and adds spyware. The update happened silently, months ago, so I had no chance to review it. Apparently it passed the Mozilla review process as well. I checked every other extension I have installed (time-consuming) and turned off auto-updates for them except the ones I absolutely trust. Now I don't trust anything on this site 100% by default.

All I can suggest is this. Try to review all of your installed extensions (eg, check user reviews here) regularly. Consider turning off auto-update for them and update them manually when you need to (after checking them out). Watch in particular extensions that haven't been updated in a long time by the original author (say over a year), since they might be taken over in the future.

Also: Check out this article. I won't include the url, but google for this: "How companies take advantage of Mozilla’s Addon repository" by Martin Brinkmann, at ghacks.net. It talks about Autocopy specifically.