marahmarie: Sheep go to heaven, goats go to hell (Default)

I wrote about this before (this was years ago so I spoke of it simply as "adware"; I guess it's evolved some since then) but I wrote quite trivially compared to Matthew's post on it, which is actually not about Superfish's super-bad behavior as much as it's about both proprietary and free software and hardware vendors failing us security-wise.

He's right: it has always been 0 days (hours, nanoseconds, eyeblinks) since our last security exploit (most of which we'll never know about; think of every unknown hacker out there, every bad actor from your self-taught script kiddie practicing on your website for the lulz right up through credit card hackers and the NSA).

But what about Superfish? I think I just hoped it would go away instead of coming back to behave more maliciously than ever - so much so that many people are understandably going nuts about the sad state of end-user security in general.

marahmarie: Sheep go to heaven, goats go to hell (Default)

Re-posted from my website; written 8-26-11, updated 9-9-11 and 4-21-12.

For weeks I noticed Firefox making multiple connections to superfish.com, especially if I went to google.com or loaded my own website. Owing to the latter, I originally suspected some plugin in my WordPress install was at fault, but I couldn't find anything wrong. I checked and dumped all my cookies (including Flash cookies) and checked local files and folders. I’m this computer’s only user so there’s no chance that, for instance, something installed on another user’s account could cause this to happen.

So I kept checking Google for any new discussions of these annoying, mysterious connections to Superfish but all I could find were the same conversations about how it's pre-loaded into the IETab add-on and the Window Shopper add-on. I don’t have (and have never had) those add-ons installed.

So I checked my other browsers (I own all the latest versions) but none of them were making connections to Superfish. I also searched my computer with Everything (the search tool) and ran HijackThis and MalwareBytes to make sure there were no localized Superfish infections. Finally I had no choice but to disable my Firefox 6 add-ons five at a time, then re-enable them one by one to find which one was at fault.

Of the first five add-ons I tested (in alphabetical order): AdBlockPlus, BetterPrivacy, (Marc Belmont’s) Calculator, ColorZilla, and CoLT, Firefox began making connections to Superfish only once I re-enabled Calculator. That concluded my testing. This is the official Mozilla page for the add-on: https://addons.mozilla.org/en-US/firefox/addon/calculator/. I might be the first person to blog about it, but I’m not the first person to bring it to the dev's attention: see this.

Update, 9-9-11: The add-on maker gave a response today to complaints about Superfish: "You can easily disable this feature in the extension preferences. Click disable "Similar Product service." It also appears (though I can't find a search engine cache to help confirm it) that he updated his add-on's description only today to reflect the inclusion of Superfish adware even though it's been in the product all summer.

The description now reads, in part: "Calculator is working with Superfish to bring you a similar products finder on the shopping sites you visit. This system allows you to find better deals when shopping online. It instantly compares prices and finds similar products on millions of products on the web. You can disable this feature in the extension preferences."

In other words, he's getting a kickback from Superfish to include adware in his add-on. Nice!

I've kept this add-on disabled since discovering it connects to Superfish but tonight I uninstalled, then re-installed it to see if Marc now offers an initial setup page (like the pages WOT, ColorZilla, TabMixPlus and many other add-on makers offer on first run). He doesn't*( see update below - as of 2-2012, he offers an initial setup page but it blows itself up before you can use it), so there's no way for new users to know this add-on hits them with Superfish adware unless they read through his lengthy product description on mozilla.org or else manually open the options pane and read through every option or else trace the adware infection back to his add-on like I and other users have done.

It says a lot that it's taken at least three complaints from users (including my original post) to get him to admit this adware gets installed with the add-on. When the constant connections it makes to superfish.com slow down browsing and don't perform as advertised (no "similar products finder" was visible on Google or on my previous website, for instance, leading me to believe it also functions as a hidden tracker*(see update below - it is a tracker) it seems awfully shady of him to not mention it a lot sooner.

Update 4-21-12: According to a February 2012 review, Marc has further updated Calculator to officially include a tracker that personally identifies you when you visit any website:

Calculator/superfish now has a userId that personally identifies YOU

by John LoVerso on February 7, 2012

I would give this a 5 star rating other than the hidden "superfish" installation. As long as that's included, I give this *zero*.

I'm most certainly alarmed by the change added in 1.1.24: http://code.google.com/p/firefoxcalculator/source/detail?r=ac559fc1125baf64fb5528bde4cea191cf7afb09 "add userId parameter to superfish url"

The "userId" is set to the timestamp when superfish is first queried. That may not be globally unique, but it's good enough to invisibly track all the pages visited by your browser and link them to *you*.

John goes on to explain how to make the add-on work without Superfish tracking - which apparently involves altering a ton of files and sounds like it would drive even the most patient geek crazy. While the add-on dev responds that "If you don't like the superfish service, there's an easier solution. Go to the extension preferences and disable superfish", my hunch is the harder method probably ensures Superfish tracking is completely disabled, while simply disabling Superfish from the preferences doesn't ensure tracking will stop at all.

Update 2, 4-21-12: I re-installed Calculator tonight to see what's up - and while Marc now offers an initial setup page that lets you immediately disable Superfish, it disappears before you can do anything with it. Thinking it was some conflict with my browser or other add-ons, I uninstalled, then reinstalled Calculator, but the initial setup page was not offered again until I opened a new window to preview this post, then it opened instead of the preview - a good 20 minutes later. I'd hate to suspect that the faulty setup page is, I don't know, on purpose?...