News Mozilla publishes initial analysis of extensions gaffe

Read more

 

It's not the telemetry system that's two-way - and it's not the telemetry system they used to install the patch.

Firefox has a thing called "Studies". The Studies system lets Mozilla try out new features or functionality by pushing them out to only a subset of its users - A-B testing. Group A gets the feature, Group B does not. Mozilla can then monitor the telemetry to see if the new functionality is a blessing or a curse.

Studies doesn't work without telemetry, because Mozilla needs to know how the users are getting on with the feature being studied. That's fine for its intended use, but the problem comes when you try to send out an emergency patch using the Studies system (making 100% of users in Group A, 0% in Group B): anybody who turned telemetry off also turned off Studies at the same time, and the only way they can get the patch is to turn Studies on which also turns on telemetry - even though, in this case, Mozilla doesn't care about the telemetry (and, indeed, is deleting the telemetry it received.)

Studies is no more an attack vector than anything else in the browser: all studies are published by Mozilla itself and signed with a security certificate (as are add-ons, which can also be updated outside of installing a new version of the browser - and it's that security layer that caused all this trouble to start with.)

The fix, as Mozilla has explained, is to make sure that there's a means to roll out an emergency hotfix that doesn't rely on abusing the Studies system and thus won't need the privacy-conscious to turn telemetry back on again.