Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flash Video Downloader (FVD) Installs .EXE to Modify Own .XPI with Possible Malware, Spawn Processes, and Crash Firefox Nightly on Startup #1026

Closed
PowerAccess opened this issue May 4, 2019 · 9 comments

Comments

Projects
None yet
7 participants
@PowerAccess
Copy link

commented May 4, 2019

Critical Issues with Flash Video Downloader Crashing Firefox Nightly on Startup after XPI Self-Modification for Malware Injection

  1. Flash Video Downloader (FVD) is updating its own XPI to version v16.3.8 unreviewed by Mozilla, circumventing Mozilla add-on review process (it seems for many releases over the past 6 months, over which period it completely stopped even attempting to make releases on addons.mozillla.org), hacking itself, to inject CSP rules and scripts into its manifest for malware domain mdn2015x4.com.

  2. Flash Video Downloader (FVD) v16.3.8 installed in this way is causing Firefox Nightly to crash every time on startup.

  3. Every time I launched Firefox I ended up with another FVD_Downloader_Module.exe process spawned on Firefox startup, even when not using FVD, and those processes remain, even after closing Firefox (they may or may not remain or continue to pile up in cases when Firefox does not crash), so that I ended up with 12+ (and growing) number of FVD_Downloader_Module.exe processes running forever in the background.

Steps to Reproduce

  1. Install Flash Video Downloader (FVD) (https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/) with Firefox Nightly for Windows 10 x64. Backup the .xpi file located at the following path (for comparision, as it modifies/replaces its own XPI to unapproved, unstable and seemingly malware infected version):
    <ProfileFolder>/extensions/artur.dubovoy@gmail.com.xpi

  2. Go to a video page (such as https://www.youtube.com/watch?v=-GyOZ5-KrSs) and click FVD toolbar button, and you will see that for most download options a "Convert" button is shown instead of "Download"
    image

  3. Click the Convert button, and an overlay is shown with a "Download FVD Downloader Module" prompt button:
    image

3B. Alternatively, you can go to the Settings page for the FVD extension, and you will see the same "Download FVD Downloader Module" button there too:
image

  1. Click the "Download FVD Downloader Module" button which takes to page (http://fvdmedia.com/installation-guide-windows/) which downloads and prompts user to install (and add anti-virus exception for)
    "FVD_Downloader_Module.exe", like shown below:
    image

  2. Install "FVD_Downloader_Module.exe" and restart Firefox Nightly, which results in installing Windows program "FVD Downloader Module" (v1.0.8 in my case) to file path:
    C:\Users\<UserName>\AppData\Roaming\FVD Downloader Module\FVD_Downloader_Module.exe

  3. You will see that the extension XPI file (artur.dubovoy@gmail.com.xpi) has been updated to
    v16.3.8 (or a much newer version than v16.2.9, from 6 months ago, which is the latest version available at https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/).

  4. Firefox Nightly then crashes about 2 seconds after launched, every single time it is launched. This occurs before could even attempt to view Console or perform any other kind of debugging. Also, the FVD extension update does not even show up under about:addons > gear icon > View Recent Updates. All of this made it very difficult for users to determine the cause of Firefox crashing on startup.

  5. You can open the XPI and view its manifest.json file to confirm the version it was updated to (since it crashes Firefox Nightly on startup for me preventing inspecting its version on about:Addons) to compare differences in xpi.

  6. If you don't see that the XPI was updated yet (from latest release v16.2.9 on addons.mozilla.org to v16.3.8 like in my case), you may need to restart your PC or wait a while for it to perform an auto-update.

  7. If for some reason you don't see the same XPI version (v16.3.8) or don't see crashes on startup, this could be due to what version of the "FVD Downloader Module" was installed (1.0.8 in my case). However, most FVD users will have the "Binary Component" installed long ago, like in my case, so that the majority of users will encounter the same issues as myself.

  8. You can disable the Add-on (once the .exe updated to v16.3.8 or you manually installed that version as provided in the .7z archive download link), startup Firefox Nightly, then manually enable the addon. Within 2 seconds of it being enabled, Firefox Nightly crashes (even when no other add-ons are enabled).
    I confirmed that FVD is the source of these crashes on startups by removing all other add-ons and starting Firefox with a new clean profile with FVD installed and seeing that it causes Firefox Nightly to crash on startup or when the addon is enabled.

Direct Downloaded of Unauthorized, Crash Inducing, Possibly Malware Infected XPI

You can download this .7z archive which includes v16.3.8 (unauthorized, possibly malware version installed by FVD's binary component which crashes Firefox) of artur.dubovoy@gmail.com.xpi.
This also includes the older v16.2.9 public Mozilla Addons release and the manifest.json file from each of those XPIs, for easy comparison.
You can manually install the XPI from the VirusOrCrashesFirefox-v16.3.8/ folder in that .7z to reproduce these issues or inspect that XPI without following all of the above steps, or if unable to reproduce via the above steps.

Crash Details and Failed Add-on Abuse & Crash Reports

You can review to the crash report I submitted at 4/28/2019 at 6:18pm PST here for when FVD v16.3.8 causes Firefox to crash on startup.

https://crash-stats.mozilla.org/report/index/41e638f4-8673-44ee-b621-fa6920190429

According to that crash report, this may relate to Mozilla bug 1547596 "Crash in mozilla::DataStorage::Remove".

I submitted a report via "Report this add-on for abuse" button on the Add-on page at https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/ around on 4/28/2019 around 7:20pm PST.

You can also find an Add-on review describing this issue.

I provided contact info in those reports but haven't received any responses since submitted on 4/28/2018 for a critical issue that has been causing crashes on startup in addition to its clear violation of Mozilla add-on review policy and malware-like behavior. Also, I haven't found any recent Mozilla bug reports related to Flash Video Downloader result from that, which is why I am submitting this bug report here with further details.

Suggested Actions

I would suggest:

  1. Investigating for abuse (or suggesting the abuse report I'd filed be investigated/prioritized, as it seems like it wasn't acted on)
  2. Investigating whether FVD is prompting install of malware, violating Mozilla policies with modifying its own XPI to unreviewed versions.
  3. Contacting the add-on developer about how should submit versions for review via addons.mozilla.org instead of via their new .exe distribution workaround (which seems has been used exclusively for distributing .xpi updates for the past 6 months).
  4. Ensuring this add-on no longer causes crashes on startup with Firefox Nightly or other Firefox releases (which may not have any fixes available for a while to them, even if fixed in Firefox Nightly)
  5. Possibly blacklisting FVD version 16.3.8 or other unreviewed or crash-inducing or malware-like versions of FVD.
  6. Investigating whether the newer XPI versions its exe is installing, as well as even older versions, are exhibiting malware-like behavior with mdn2015x4.com scripts or via any other means.

Concerns

FVD has circumvented the Mozilla Addon review process, and is modifying/replacing its own .xpi file with versions not reviewed by Mozilla, which adds CSP rules and scripts from malware domain
mdn2015x4.com.
It has done so by prompting users to install an .exe as is required for even basic usage for FVD prompting users to install when they attempt to download many/most videos, as well as even potentially infecting the browser itself, with the XPI indirectly modifying its own .XPI file.
The result is, at best, instability causing Firefox Nightly to crash every time on startup (in a way that makes it very difficult to determine the cause and disable the extension, as it doesn't even appear under "Recently Updated Extensions"). At worst, this may be installing malware into the browser.

Major Differences with Unreviewed FVD v16.3.8 XPI vs v16.2.9 (Injected Possible Malware Domain, CSP, and Scripts for All Pages)

After comparing the manifest.json files (as included in the linked to .7z download) for both the Mozilla reviewed and unreviewed/stable versions of the XPI files for FVD, I noticed the following following are the key suspicious additions to manifest.json for v16.3.8 compared to v16.2.9.

  1. Added a CSP Content Security Policy for all pages for mdn2015x4.com, which appears to be a malware domain:
    "content_security_policy": "script-src 'self' *.mdn2015x4.com; object-src 'self'",

  2. Injects 2 new scripts which run for all pages (and which are new .js files not found in the version reviewed by Mozilla) including:

		/js/hooks/full-page.js
		/js/contentScripts/contentAll.js
  1. Adds a script from malware domain mdn2015x4.com to popup.html

My Configuration

  • Firefox Nightly 68.0a1 (2019-04-28) (64-bit)
  • Windows 10 Pro x64

@PowerAccess PowerAccess changed the title Flash Video Downloader (FVD) Installs .EXE to Modify Own .XPI with Possible Malware and Crashes Firefox Nightly on Startup Flash Video Downloader (FVD) Installs .EXE to Modify Own .XPI with Possible Malware, Spawn Processes, and Crash Firefox Nightly on Startup May 4, 2019

@wagnerand

This comment has been minimized.

Copy link
Member

commented May 6, 2019

Thank you for the very detailed report. We are starting an investigation and take the necessary steps.

@wagnerand wagnerand closed this May 6, 2019

@jed84

This comment has been minimized.

Copy link

commented May 7, 2019

The addon has been added to the repository under the new name:
https://addons.mozilla.org/pl/firefox/addon/flash-videodownloader/

I believe this is not safe to use it?

@wagnerand

This comment has been minimized.

Copy link
Member

commented May 8, 2019

Thank you for the heads up, we will look into it.

@ozra

This comment was marked as off-topic.

Copy link

commented May 8, 2019

Clearly, it would be reasonable for me as a user of the tools to decide to add an exception on an add-on-basis — does anyone think that is crazy, or disagree with me on that?

This is the only add-on tool I've installed that has actually done what I want, I keep the risks in mind.

Real world example: the moderators at Youtube has on more than one occasion removed very interesting and informative videos from under my nose sometimes — sometimes the only way to ensure ability to watch something of journalistic and investigative interest, and avoiding censorship, is to download the video of interest before the censors has gotten to it.

Forced blocking of add-ons takes away individuals' ability to choose, even unsafe extensions of the main tool of preference: Firefox — like above mentioned last resort :-(

@joerpaul

This comment was marked as off-topic.

Copy link

commented May 9, 2019

I very strongly advocate user choice. I would agree that the web should be made as safe as possible for masses of incompetent people, there should always be a hidden option to enable add-ons instead of hard blocks. Perhaps the author was injecting a little harmless advertising? Who knows? But I've been using this plugin for perhaps years, am quite fond of it, and very disappointed in Mozilla's decision to hard-block it. I adore Firefox but this is beyond obnoxious. This is outrageous.

@joerpaul

This comment was marked as off-topic.

Copy link

commented May 9, 2019

I do know the author at some point created an external application for the download/conversion of videos to overcome some limitation in the browser-only approach.

@mpopp75

This comment was marked as off-topic.

Copy link

commented May 9, 2019

The Linux packages of the external application are at http://fvdmedia.com/installation-guide-linux-unix/

Maybe there's a way to find out what exactly they do.

Has anybody tried to contact the author of the addon? If he tried to bypass limitations for legitimate reasons, maybe you can provide him with a proper way to achieve what he tried to achieve.

I used the addon for a few months and it did very well what it advertised to do, in some respects better than other addons of this genre. That's why I would hate to lose it.

@wagnerand wagnerand self-assigned this May 9, 2019

@sidekickc

This comment was marked as resolved.

Copy link

commented May 13, 2019

Why are people's comments, who question this action, being marked as off topic? For a balanced view of this issue I request that my comment not be marked as off topic, and answers to the above questions be given.

I have been using this Add-on for years without issue. I accept the risk with the external program that it installs. I have found this Add-on to be far better than the suggested alternative - "Video DownloadHelper" - which I also have had installed for years.

The "Malware" domain of mdn2015x4.com was mentioned. This domain is parked, so it's not in use. As this was part of the reason for disabling this Add-on, please list specifically why the presence of this domain is a problem.

Also, can you please list the steps that the developer needs to take so that the Add-on can be restored. Thank you.

@sidekickc

This comment was marked as off-topic.

Copy link

commented May 13, 2019

Never mind - the Add-on has been updated and is available at https://addons.mozilla.org/en-US/firefox/addon/flash-videodownloader/

@mozilla mozilla locked as resolved and limited conversation to collaborators May 13, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.