Oh, pretty sweet. So mozilla more or less broke one of my favorite and most used extensions for me. I guess I should figure out how to turn OFF the automatic updates which I don't want, to prevent this kind of thing from happening in the future. Video DownloadHelper is the most complete tool to extract videos and image files from Web sites and save them to your hard drive. Just surf the Web as you are used to, when DownloadHelper detects it can do something for you, the toolbar icon highlights and a menu allows you to download files by simply clicking an item. Flash Video Downloader for Mozilla Firefox. Flash Video Downloader for Mozilla Firefox - Quick Guide. Last Updated: Jan 03, 2017 12:01PM EST. As soon as you install Flash Video Downloader plugin, new buttons depicting blue arrows will appear on top and bottom panels of your Mozilla Firefox Internet browser. How to download video? Video DownloadHelper is the most complete tool to extract videos and image files from Web sites and save them to your hard drive. Just surf the Web as you are used to, when DownloadHelper detects it can do something for you, the toolbar icon highlights and a menu allows you to download files by simply clicking an item. The Development Channel lets you test an experimental new version of this add-on before it's released to the general public. Once you install the development version, you will continue to get updates from this channel.
Critical Issues with Flash Video Downloader Crashing Firefox Nightly on Startup after XPI Self-Modification for Malware Injection
Flash Video Downloader (FVD) is updating its own XPI to version v16.3.8 unreviewed by Mozilla, circumventing Mozilla add-on review process (it seems for many releases over the past 6 months, over which period it completely stopped even attempting to make releases on addons.mozillla.org), hacking itself, to inject CSP rules and scripts into its manifest for malware domain mdn2015x4.com.
Flash Video Downloader (FVD) v16.3.8 installed in this way is causing Firefox Nightly to crash every time on startup. Tomtom 3rd edition gps manual.
Every time I launched Firefox I ended up with another FVD_Downloader_Module.exe process spawned on Firefox startup, even when not using FVD, and those processes remain, even after closing Firefox (they may or may not remain or continue to pile up in cases when Firefox does not crash), so that I ended up with 12+ (and growing) number of FVD_Downloader_Module.exe processes running forever in the background.
Steps to Reproduce
Install Flash Video Downloader (FVD) (https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/) with Firefox Nightly for Windows 10 x64. Backup the .xpi file located at the following path (for comparision, as it modifies/replaces its own XPI to unapproved, unstable and seemingly malware infected version):
<ProfileFolder>/extensions/artur.dubovoy@gmail.com.xpi
Go to a video page (such as https://www.youtube.com/watch?v=-GyOZ5-KrSs) and click FVD toolbar button, and you will see that for most download options a 'Convert' button is shown instead of 'Download'
Click the Convert button, and an overlay is shown with a 'Download FVD Downloader Module' prompt button:
3B. Alternatively, you can go to the Settings page for the FVD extension, and you will see the same 'Download FVD Downloader Module' button there too:
Click the 'Download FVD Downloader Module' button which takes to page (http://fvdmedia.com/installation-guide-windows/) which downloads and prompts user to install (and add anti-virus exception for)
'FVD_Downloader_Module.exe', like shown below:
Download games for pcsx2.Install 'FVD_Downloader_Module.exe' and restart Firefox Nightly, which results in installing Windows program 'FVD Downloader Module' (v1.0.8 in my case) to file path:
C:Users<UserName>AppDataRoamingFVD Downloader ModuleFVD_Downloader_Module.exe
You will see that the extension XPI file (artur.dubovoy@gmail.com.xpi) has been updated to
v16.3.8 (or a much newer version than v16.2.9, from 6 months ago, which is the latest version available at https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/).Firefox Nightly then crashes about 2 seconds after launched, every single time it is launched. This occurs before could even attempt to view Console or perform any other kind of debugging. Also, the FVD extension update does not even show up under about:addons > gear icon > View Recent Updates. All of this made it very difficult for users to determine the cause of Firefox crashing on startup.
You can open the XPI and view its manifest.json file to confirm the version it was updated to (since it crashes Firefox Nightly on startup for me preventing inspecting its version on about:Addons) to compare differences in xpi.
If you don't see that the XPI was updated yet (from latest release v16.2.9 on addons.mozilla.org to v16.3.8 like in my case), you may need to restart your PC or wait a while for it to perform an auto-update.
If for some reason you don't see the same XPI version (v16.3.8) or don't see crashes on startup, this could be due to what version of the 'FVD Downloader Module' was installed (1.0.8 in my case). However, most FVD users will have the 'Binary Component' installed long ago, like in my case, so that the majority of users will encounter the same issues as myself.
You can disable the Add-on (once the .exe updated to v16.3.8 or you manually installed that version as provided in the .7z archive download link), startup Firefox Nightly, then manually enable the addon. Within 2 seconds of it being enabled, Firefox Nightly crashes (even when no other add-ons are enabled).
I confirmed that FVD is the source of these crashes on startups by removing all other add-ons and starting Firefox with a new clean profile with FVD installed and seeing that it causes Firefox Nightly to crash on startup or when the addon is enabled.
Direct Downloaded of Unauthorized, Crash Inducing, Possibly Malware Infected XPI
You can download this .7z archive which includes v16.3.8 (unauthorized, possibly malware version installed by FVD's binary component which crashes Firefox) of artur.dubovoy@gmail.com.xpi.
This also includes the older v16.2.9 public Mozilla Addons release and the manifest.json file from each of those XPIs, for easy comparison.
You can manually install the XPI from the VirusOrCrashesFirefox-v16.3.8/ folder in that .7z to reproduce these issues or inspect that XPI without following all of the above steps, or if unable to reproduce via the above steps.
Crash Details and Failed Add-on Abuse & Crash Reports
You can review to the crash report I submitted at 4/28/2019 at 6:18pm PST here for when FVD v16.3.8 causes Firefox to crash on startup.
According to that crash report, this may relate to Mozilla bug 1547596 'Crash in mozilla::DataStorage::Remove'.
In some tests 64-bit processing is even slower than 32-bit. Windows vista business 64 bit iso download italiano. Flexbeta (link dead) performed 32bit vs 64bit Windows Vista comparison test (albeit on RC1 Vista release) with the result showing 64-bit Vista hardly any noticeably faster than 32-bit Vista.
I submitted a report via 'Report this add-on for abuse' button on the Add-on page at https://addons.mozilla.org/en-US/firefox/addon/flash-video-downloader/ around on 4/28/2019 around 7:20pm PST.
Mozilla Firefox Video Downloader Plugin
You can also find an Add-on review describing this issue.
I provided contact info in those reports but haven't received any responses since submitted on 4/28/2018 for a critical issue that has been causing crashes on startup in addition to its clear violation of Mozilla add-on review policy and malware-like behavior. Also, I haven't found any recent Mozilla bug reports related to Flash Video Downloader result from that, which is why I am submitting this bug report here with further details.
Suggested Actions
I would suggest:
- Investigating for abuse (or suggesting the abuse report I'd filed be investigated/prioritized, as it seems like it wasn't acted on)
- Investigating whether FVD is prompting install of malware, violating Mozilla policies with modifying its own XPI to unreviewed versions.
- Contacting the add-on developer about how should submit versions for review via addons.mozilla.org instead of via their new .exe distribution workaround (which seems has been used exclusively for distributing .xpi updates for the past 6 months).
- Ensuring this add-on no longer causes crashes on startup with Firefox Nightly or other Firefox releases (which may not have any fixes available for a while to them, even if fixed in Firefox Nightly)
- Possibly blacklisting FVD version 16.3.8 or other unreviewed or crash-inducing or malware-like versions of FVD.
- Investigating whether the newer XPI versions its exe is installing, as well as even older versions, are exhibiting malware-like behavior with mdn2015x4.com scripts or via any other means.
Concerns
Firefox Youtube Downloader
FVD has circumvented the Mozilla Addon review process, and is modifying/replacing its own .xpi file with versions not reviewed by Mozilla, which adds CSP rules and scripts from malware domain
mdn2015x4.com.
It has done so by prompting users to install an .exe as is required for even basic usage for FVD prompting users to install when they attempt to download many/most videos, as well as even potentially infecting the browser itself, with the XPI indirectly modifying its own .XPI file.
The result is, at best, instability causing Firefox Nightly to crash every time on startup (in a way that makes it very difficult to determine the cause and disable the extension, as it doesn't even appear under 'Recently Updated Extensions'). At worst, this may be installing malware into the browser.
Major Differences with Unreviewed FVD v16.3.8 XPI vs v16.2.9 (Injected Possible Malware Domain, CSP, and Scripts for All Pages)
After comparing the manifest.json files (as included in the linked to .7z download) for both the Mozilla reviewed and unreviewed/stable versions of the XPI files for FVD, I noticed the following following are the key suspicious additions to manifest.json for v16.3.8 compared to v16.2.9.
Added a CSP Content Security Policy for all pages for mdn2015x4.com, which appears to be a malware domain:
'content_security_policy': 'script-src 'self' *.mdn2015x4.com; object-src 'self',
Injects 2 new scripts which run for all pages (and which are new .js files not found in the version reviewed by Mozilla) including:
- Adds a script from malware domain mdn2015x4.com to popup.html
My Configuration
- Firefox Nightly 68.0a1 (2019-04-28) (64-bit)
- Windows 10 Pro x64