Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Flash Video Downloader (FVD) Installs .EXE to Modify Own .XPI with Possible Malware, Spawn Processes, and Crash Firefox Nightly on Startup #1026
Critical Issues with Flash Video Downloader Crashing Firefox Nightly on Startup after XPI Self-Modification for Malware Injection
Steps to Reproduce
Direct Downloaded of Unauthorized, Crash Inducing, Possibly Malware Infected XPI
You can download this .7z archive which includes v16.3.8 (unauthorized, possibly malware version installed by FVD's binary component which crashes Firefox) of email@example.com.
Crash Details and Failed Add-on Abuse & Crash Reports
You can review to the crash report I submitted at 4/28/2019 at 6:18pm PST here for when FVD v16.3.8 causes Firefox to crash on startup.
According to that crash report, this may relate to Mozilla bug 1547596 "Crash in mozilla::DataStorage::Remove".
I submitted a report via "Report this add-on for abuse" button on the Add-on page at https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/ around on 4/28/2019 around 7:20pm PST.
You can also find an Add-on review describing this issue.
I provided contact info in those reports but haven't received any responses since submitted on 4/28/2018 for a critical issue that has been causing crashes on startup in addition to its clear violation of Mozilla add-on review policy and malware-like behavior. Also, I haven't found any recent Mozilla bug reports related to Flash Video Downloader result from that, which is why I am submitting this bug report here with further details.
I would suggest:
FVD has circumvented the Mozilla Addon review process, and is modifying/replacing its own .xpi file with versions not reviewed by Mozilla, which adds CSP rules and scripts from malware domain
Major Differences with Unreviewed FVD v16.3.8 XPI vs v16.2.9 (Injected Possible Malware Domain, CSP, and Scripts for All Pages)
After comparing the manifest.json files (as included in the linked to .7z download) for both the Mozilla reviewed and unreviewed/stable versions of the XPI files for FVD, I noticed the following following are the key suspicious additions to manifest.json for v16.3.8 compared to v16.2.9.
The addon has been added to the repository under the new name:
I believe this is not safe to use it?
Clearly, it would be reasonable for me as a user of the tools to decide to add an exception on an add-on-basis — does anyone think that is crazy, or disagree with me on that?
This is the only add-on tool I've installed that has actually done what I want, I keep the risks in mind.
Real world example: the moderators at Youtube has on more than one occasion removed very interesting and informative videos from under my nose sometimes — sometimes the only way to ensure ability to watch something of journalistic and investigative interest, and avoiding censorship, is to download the video of interest before the censors has gotten to it.
Forced blocking of add-ons takes away individuals' ability to choose, even unsafe extensions of the main tool of preference: Firefox — like above mentioned last resort :-(
I very strongly advocate user choice. I would agree that the web should be made as safe as possible for masses of incompetent people, there should always be a hidden option to enable add-ons instead of hard blocks. Perhaps the author was injecting a little harmless advertising? Who knows? But I've been using this plugin for perhaps years, am quite fond of it, and very disappointed in Mozilla's decision to hard-block it. I adore Firefox but this is beyond obnoxious. This is outrageous.
The Linux packages of the external application are at http://fvdmedia.com/installation-guide-linux-unix/
Maybe there's a way to find out what exactly they do.
Has anybody tried to contact the author of the addon? If he tried to bypass limitations for legitimate reasons, maybe you can provide him with a proper way to achieve what he tried to achieve.
I used the addon for a few months and it did very well what it advertised to do, in some respects better than other addons of this genre. That's why I would hate to lose it.
Why are people's comments, who question this action, being marked as off topic? For a balanced view of this issue I request that my comment not be marked as off topic, and answers to the above questions be given.
I have been using this Add-on for years without issue. I accept the risk with the external program that it installs. I have found this Add-on to be far better than the suggested alternative - "Video DownloadHelper" - which I also have had installed for years.
The "Malware" domain of mdn2015x4.com was mentioned. This domain is parked, so it's not in use. As this was part of the reason for disabling this Add-on, please list specifically why the presence of this domain is a problem.
Also, can you please list the steps that the developer needs to take so that the Add-on can be restored. Thank you.
Never mind - the Add-on has been updated and is available at https://addons.mozilla.org/en-US/firefox/addon/flash-videodownloader/