Jiffy Reader disabled by Mozilla

tl;dr Add-on developer ansh sold out the extension to new owners. Commited updates 1.8.8 to the Mozilla repository, but nothing on GitHub containing the malware. The malware was a custom implementation of the mellowtel scraper mentioned in the arstechnica article. It had the opt-in functionality disabled and other "bugs" which caused excessive bandwidth usage. Please be aware there is no independent verification whether not more possible harm was caused than the mentioned mellowtel scraping.

By jiffyreader, the from the github link provided:

"Hey all,

Sorry for the delay in answering here. I was waiting for the dust to settle a little bit before clearing things up.  I tried to explain the timeline and sequence of actions in the last messages. Many of you want to know the reasons behind them. 

I saw that developers were earning a lot from turning their products into proxies for scraping and were being paid by proxy providers like anyIP or brightdata. Usually they pay more for mobile proxies. So I decided to try a similar idea. I saw that Jiffy Reader had already tried with mellowtel but had stopped after a while. I thought I could monetize it by making a custom integration and bought the plugin. I tried the open source version of mellowtel but changed the code in order to make it native (refer to the Single Purpose policy issue above) and removed some of the limits in the library. In the process I introduced bugs and caused issues to a lot of you which triggered the malware report. The reason why these bugs were not immediately clear and I couldn’t solve them is because they showed up based on some specific requests/websites (google search or pdf download, etc.) and device conditions (pdf viewer open/scrolling a tab with videos) which I didn’t have a way to replicate and solve.

As I remarked before, the plugin didn’t steal any cookies/credit cards/password or personal data and you can check the network output logs or any VPN logs to confirm. You are still free to change passwords/auth sessions but JiffyReader didn’t collect or leak any of this personal information.

Ideally, I wanted to keep the product running/improving it and using this forked version for monetization without affecting users negatively. But in my eagerness to have the version accepted by the review team I changed the code to not display the opt-in and out page immediately and that removed a lot of user control. And I think I introduced some bugs (but from an arstechnica article that @concernedcitizen2 has also linked it looks like the original library had some issues on its own, so it could also be due to that).

For GDPR, I haven’t collected any data from this bandwidth sharing monetization (including IPs which I don’t store). The privacy policy on the website refers to google analytics, to the Crisp web chat and to any contact information the user might pass to us. The public pages that were scraped didn’t have to do anything with the websites a user might be visiting. The same goes for Meucci.js which just monitored xhr/ajax requests INSIDE the session-less frame, not outside, so again it didn’t revolve around any user data. You can look at the mellowtel library since I used a lot of that code

Sorry for the issues and concerns I’ve caused with these actions.

I will be committing all changes to this repo and removing all the flawed forked code. I will also send a new version for the same to FireFox, Edge and Chrome again. Going forward, I will always keep the open-source version in sync with the submitted version.

If anyone wants to reach out, you can do at jiffyreader007@gmail.com. I feel like it’s not good to keep this discussion on this repo and I’ve created a separate Discord in the meanwhile: https://discord.gg/cjwS8vmR3R

I’m really sorry for this and having removed a useful plugins that so many people used. Thanks for your understanding."

5 comments

maybe perhaps related to this: https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/
the affected addons list only mentions jiffyreader for chrome (or some addon masquerading as actual jiffy reader). Could be Mozilla found the addon doing something it shouldn't?
edit: in jiffy reader's github: https://github.com/ansh/jiffyreader.com/issues/342
- tl;dr Add-on developer ansh sold out the extension to new owners. Commited updates 1.8.8 to the Mozilla repository, but nothing on GitHub containing the malware. The malware was a custom implementation of the mellowtel scraper mentioned in the arstechnica article. It had the opt-in functionality disabled and other "bugs" which caused excessive bandwidth usage. Please be aware there is no independent verification whether not more possible harm was caused than the mentioned mellowtel scraping.
  By jiffyreader, the from the github link provided:
  "Hey all,
  Sorry for the delay in answering here. I was waiting for the dust to settle a little bit before clearing things up.  I tried to explain the timeline and sequence of actions in the last messages. Many of you want to know the reasons behind them. 
  I saw that developers were earning a lot from turning their products into proxies for scraping and were being paid by proxy providers like anyIP or brightdata. Usually they pay more for mobile proxies. So I decided to try a similar idea. I saw that Jiffy Reader had already tried with mellowtel but had stopped after a while. I thought I could monetize it by making a custom integration and bought the plugin. I tried the open source version of mellowtel but changed the code in order to make it native (refer to the Single Purpose policy issue above) and removed some of the limits in the library. In the process I introduced bugs and caused issues to a lot of you which triggered the malware report. The reason why these bugs were not immediately clear and I couldn’t solve them is because they showed up based on some specific requests/websites (google search or pdf download, etc.) and device conditions (pdf viewer open/scrolling a tab with videos) which I didn’t have a way to replicate and solve.
  As I remarked before, the plugin didn’t steal any cookies/credit cards/password or personal data and you can check the network output logs or any VPN logs to confirm. You are still free to change passwords/auth sessions but JiffyReader didn’t collect or leak any of this personal information.
  Ideally, I wanted to keep the product running/improving it and using this forked version for monetization without affecting users negatively. But in my eagerness to have the version accepted by the review team I changed the code to not display the opt-in and out page immediately and that removed a lot of user control. And I think I introduced some bugs (but from an arstechnica article that @concernedcitizen2 has also linked it looks like the original library had some issues on its own, so it could also be due to that).
  For GDPR, I haven’t collected any data from this bandwidth sharing monetization (including IPs which I don’t store). The privacy policy on the website refers to google analytics, to the Crisp web chat and to any contact information the user might pass to us. The public pages that were scraped didn’t have to do anything with the websites a user might be visiting. The same goes for Meucci.js which just monitored xhr/ajax requests INSIDE the session-less frame, not outside, so again it didn’t revolve around any user data. You can look at the mellowtel library since I used a lot of that code
  Sorry for the issues and concerns I’ve caused with these actions.
  I will be committing all changes to this repo and removing all the flawed forked code. I will also send a new version for the same to FireFox, Edge and Chrome again. Going forward, I will always keep the open-source version in sync with the submitted version.
  If anyone wants to reach out, you can do at jiffyreader007@gmail.com. I feel like it’s not good to keep this discussion on this repo and I’ve created a separate Discord in the meanwhile: https://discord.gg/cjwS8vmR3R
  I’m really sorry for this and having removed a useful plugins that so many people used. Thanks for your understanding."
  
  This is genuinely disturbing.
  A developer was planning on sneaking data collection into a product through a sketchy terms of service. That on its own should keep the app out of any marketplace.
  The subsequent claim that the developer simply forgot to include this in the TOS doesn't get any extra sympathy from me. Funny the apology only appeared after the developer got caught with their pants down, isn't it?
- Look at the contributor list. The "owner" didn't write most of the recent commits. I wonder how asieduernest12 feels about this sale.
- That GitHub discussion seems to confirm it. The developers shutting down their extension immediately afterwards too just reeks of suspicious activity.
  The version number for the extension in my browser (1.8.8) doesn't match the latest release that's visible on this otherwise public repository (1.8.0)
  So presumably at some point "someone" "somewhere" modified or added some files to the source code of this extension out of public view... and then "somehow" got a hold of this dev account password or whatever which was subsequently used to surreptitiously push it to the chrome webstore...