Firefox Add-on YouTube Unblocker blocked by Mozilla

[Jordan]

Firefox Add-on YouTube Unblocker blocked by Mozilla

Mozilla banned the popular Firefox add-on YouTube Unblocker yesterday after it was confirmed that it tampers with Firefox security preferences, and downloads and installs an unrelated add-on from an unofficial website.

The add-on, used to unblock YouTube videos that are blocked in certain countries by redirecting access through proxy servers in countries where the video is available, has hundreds of thousands of users.

The bug report on Bugzilla offers details on the add-on's wrong doings. It disables Firefox security preferences using user.js manipulations, among them the blocklist feature and add-on signature enforcement, and downloads another add-on afterwards, named Adblock Converter, which it hides from the browser's Add-on Manager.

Please note that the downloaded extension may use different names, so make sure you check for any add-on listed in the Add-ons Manager that you have not installed.

Looking at the code of the add-on "YouTube Unblocker", I found the responsible code in the file [email protected]\resources\unblocker-api\lib\utils.js following line 138. The function updateConfigFile() downloads files from a web server and places them onto the hard drive of the user.

In the case of the attached response.json it is a user.js and a malicious add-on. Both are a clear violation of the add-on guidelines.

 

Firefox users who have the add-on installed in the browser should consider the following course of action immediately:

1. Removal of the YouTube Unblocker add-on if that has not been done already by Mozilla through the browser's blocklist feature.
2. Removal of the adblock converter extension using Firefox's Safe Mode. This can be started by holding down the Shift-key on the keyboard before Firefox is launched.
3. Opening the profile folder to delete any traces of YouTube Unblocker or Adblock Converter, especially any folder starting with youtubeunblocker
4. Starting Firefox, opening about:config and resetting the following Firefox preferences by searching for them, right-clicking on them and selecting reset from the context menu:
   1. xpinstall.signatures.required
   2. extensions.blocklist.enabled
   3. extensions.blocklist.url
   4. extensions.blocklist.detailsURL
   5. extensions.blocklist.itemURL

Firefox users who want to be on the safe side should consider resetting the browser instead. This can also be done by holding down the Shift-key on the keyboard during start of the browser.

 

 

Select Refresh Firefox this time to reset the browser. Please note that this will remove installed add-ons, themes, and reset preferences and other customization, but will keep bookmarks, passwords, the browsing history and open windows and tabs among other things.

The add-on is no longer listed on Mozilla's official Add-ons repository (AMO)

 

Source

[DKT27]

There I thought they censored it. They are actually protecting users from it.

 

How this addon bypassed Firefox's testing though, I do not know about it.

[straycat19]

It would take a huge amount of manpower to thoroughly test every application, especially if there was some type of time bomb in it that only triggered a certain action after so many days or hours.  So users should understand that though they may take a cursory look at each extension, extensive testing is not feasible.  Mozilla and Google strive to keep their browsers, and therefore their users, safe and secure.  Though I use several extensions in each, I am very selective and only use those that have been thoroughly tested by myself or my friends on test systems before using them on my production systems.  Personally I would like to see a browser that had no extensions or addons and only did what it is supposed to do, display websites, and do it in the utmost secure manner.  That's just like I would like to see an operating system with no addons or additons, that was secure, in which all applications installed on it ran in a sandbox automatically so that nothing could touch the base operating system.  Unfortunately, neither will ever happen.