Mozilla removes Avast and AVG extensions from add-on portal over snooping claims

The four extensions, two from Avast and two from AVG, are still available on the Chrome Web Store.

Mozilla Add-ons

Image: ZDNet

Mozilla removed today four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories.

The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice.

The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons.

Extensions caught snooping in October

Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension.

Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google.

He published a blog post on October 28, detailing his findings, but in a blog post dated today, he said he also found the same behavior in the Avast and AVG SafePrice extensions as well.

Seeing that his original blog post didn't get the traction he hoped, and neither browser maker intervened to take down the extensions on their own accord, Palant said he reported the extensions to Mozilla developers yesterday, hoping that the organization would take action -- which, it did, removing all four add-ons within 24 hours.

Avast told ZDNet they are working with Mozilla "to resolve the issue."

"The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks," an Avast spokesperson told ZDNet. "It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user's identification.

"We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements," the Avast spokesperson said. "These will be available as usual on the Mozilla store in the near future."

Extensions still available on Chrome Web Store

The four extensions are still available on the Chrome Web Store [1, 2, 3, 4], according to Palant.

"The only official way to report an extension here is the 'report abuse' link," he said. "I used that one of course, but previous experience shows that it never has any effect.

"Extensions have only ever been removed from the Chrome Web Store after considerable news coverage," he added.

However, Google is expected to remove the four extensions, as the browser maker has historically cracked down on extensions that collect user browsing records.

For example, in July 2018, Google staff temporarily removed the Stylish extension until it removed the code that harvested users' web browsing history.

Article updated with Avast comments.