So, I think an apology might be in order.
Few days ago, I profiled what seemed to be a pretty awesome extension known as Google+Facebook. What it purported to do was allow you to view your Facebook news feed and information from your Google + account. And to be fair, it did that. All in all, a pretty useful tool. Problem was, there were a few rather unpleasant functions in the extension’s code, the presence of which pretty much inarguably paints it as Malware. Credit goes to RogueDarkJedi on Reddit for pointing it out to the community, and a fellow named Martin for pointing it out to me on this post
So, What’s the problem?
Roguedarkjedi over on Reddit decided he’d pop open the extension and take a look at some of the inner coding. What he found was rather…distressing, to say the least. After looking into Crossrider (and the exchange between Koby Menachemi and RogueDarkJedi), there’s a few red flags and warning lights that are positively screaming in my head about this one. And most of them actually have nothing to do with RDJ’s findings.
- After continuallyevading questions and comments regarding the extension, Mr. Menechemi rather unprofessionally resorted to (ironically, rather rudely) calling RDJ uncivil, and apparently started using Sockpuppet accounts to try to support his side. Oh, and he apparently lies. A lot. Not exactly the sort of behavior you’d except from a business professional, is it?
- This:“It actively (and at random) looks for known webmail domains and starts reading your emails until it hits a quote block which it then uses to append a signature to your emails in order to get your friends to start using this software.” Not. Sodding. Cool. Oh, but it’s okay- that feature was only available in the old API. The new API doesn’t let devs access it. If that’s the case, then why in the bleeding hell is the code still there, Koby-boy
- Take a look at the Chrome Marketplace. And the Firefox App Store. Notice something missing? Crossrider’s extension hasn’t appeared on either site. Again, more red flags.
- The fact that you have to go through the processes listed in this article to uninstall the extension is the final nail in the coffin. Any piece of software that forces you to jump through hoops to get rid of it is not okay, in my books.
At this point, I don’t even need to see the code for the extension- any business which conducts themselves in the sort of fashion that Crossrider has here is one that I want to stay the hell away from. But just for kicks, let’s take a look at some other things RDJ found wrong with the extension. (Note that he was looking at the Firefox coding- though the Chrome and IE9 extensions have similar issues) I’ve copied all of his comments into categories.
Malware: The API makes multiple references to a premium service. What this means is that if the author of the plugin fails to pay the service money, CrossRider can force all users of the plugin to install additional crap. This is a forced change that you cannot opt-out of. Several mentions in the code to overriding your browser homepage. There is one place where I see this happen, but I don’t know if any function actually calls it. Uninstalling will not revert any of these changes. The “Easy to Uninstall” part on their page is bullshit. Premium or not, the only clean up made from their uninstaller is their pref branch, which does fairly little. There is no restoration of the changes like the search plugin, the search settings or your homepage.
Privacy: This addon sends browser stats while it is on the manage screen. Data sent is the browser type, addon version, script version and this value called bic (which I assume is supposed to be unique [considering it only gets set after receiving data from the server]). It might do this in other places as well. Your FB data does go through their service.
Security: There are a ton of content permission hacks in order to mount remote JS and run it at a higher permission level. It’s rather lame considering Mozilla gives you safe interfaces that allow you to do this safely.
Privacy, Security, And Malware: You have no idea when this file will change. It’s downloaded at start up and ran with window chrome permissions (this is considered dangerous). At any point in time, the author could basically say fuck you and change it to start data mining. But that’s okay, because the change will happen in the background without you ever knowing. Ever
I’ve seen enough. You can find the rest of RDJ’s examination of the extension on the reddit thread. A user known as crow1170, who initially started off suspicious of RDJ’s claims did a similar examination of the code in the IE addon…let’s just say he’s on RDJ’s side now.
How do I get rid of it?
Gadgets Magazine was helpful enough to compile instructions (presumably all from the reddit thread) on how to get this crap off of your system if you made the mistake of downloading it.
Uninstall the add-on via the Firefox add-ons manager.
Go to about:config.
Reset all the values in about: config for the following:
Go to tools.
Select Google+Facebook and hit uninstall.
Press alt, select tools.
Click on manage extensions.
Find Google+Facebook and press disable.