Reviews for Audible Backup
Audible Backup by Patrick Meyer
Review by SMcCandlish
Rated 2 out of 5
by SMcCandlish, 4 years agoSecurity hole, and not really working. First, it wants permission to access all your data at all websites, when it does not need to do this. It only needs *.audible.[tld], and *.amazon.[tld], and optionally some site you control for uploads. I'll give it two stars for being functional as an addon at all; it appears in the menu, has an icon, has an interface, etc.
However, it doesn't seem to do anything if you tell it to save locally, with a file:///... URL (which is probably what 99.99% of people would want to do, since they are not administrators of some remote https://... website with WebDAV uploading). And this remote upload feature will only accept a URL as input, not separate user ID and password fields, so it appears that you'll have to URL-encode any necessary ID and password in the upload URL, which is yet another security hole.
And it appears to be hardcoded to use the amazon.de authentication interface, so if you are not in Germany (or using a VPN that spoofs you being in Germany), you can't use this at all. Which makes very little sense, since the interface language is English. Worse, if you are already logged into Audible, the extension cannot recognize this. And finally, if you really are in some other country, the Audible.[country-code] site you will probably be using does not actually share account data with Audible.com anyway. E.g., I was using a VPN that showed me being in Canada, and Audible.com forcibly redirects such IP addresses to Audible.ca; while my Amazon & Audible login credentials worked there (through Amazon.ca), my Audible.ca account was empty and showed none of my Audible.com library contents. So, jumping through VPN hoops to use Audible.de and (for login auth) Amazon.de simply isn't going to work.
This addon appears to be for no one but Germans in Germany who use (and only use) Audible.de and Amazon.de, and who are fond of using English-language interfaces for no particular reason, and who are webmasters of websites they can auto-upload to through a Firefox addon, but who also don't care about passwords being sent in the clear to that site they run. Maybe that's a target market of ... half a dozen people?
All that said, the bare guts of this are probably functional, and with not-very-complicated work it should be viable. It needs to: 1) support whatever amazon.[tld] and audible.[tld] site you actually need; 2) stop asking for access to every website; 3) default to saving files locally (either by picking a location with standard UI widgets, or entering a file:/// path); and 4) only ask for a remote upload host if someone wants that (then add that host to the sites it has permission to access, and treat ID and PW info securely).
However, it doesn't seem to do anything if you tell it to save locally, with a file:///... URL (which is probably what 99.99% of people would want to do, since they are not administrators of some remote https://... website with WebDAV uploading). And this remote upload feature will only accept a URL as input, not separate user ID and password fields, so it appears that you'll have to URL-encode any necessary ID and password in the upload URL, which is yet another security hole.
And it appears to be hardcoded to use the amazon.de authentication interface, so if you are not in Germany (or using a VPN that spoofs you being in Germany), you can't use this at all. Which makes very little sense, since the interface language is English. Worse, if you are already logged into Audible, the extension cannot recognize this. And finally, if you really are in some other country, the Audible.[country-code] site you will probably be using does not actually share account data with Audible.com anyway. E.g., I was using a VPN that showed me being in Canada, and Audible.com forcibly redirects such IP addresses to Audible.ca; while my Amazon & Audible login credentials worked there (through Amazon.ca), my Audible.ca account was empty and showed none of my Audible.com library contents. So, jumping through VPN hoops to use Audible.de and (for login auth) Amazon.de simply isn't going to work.
This addon appears to be for no one but Germans in Germany who use (and only use) Audible.de and Amazon.de, and who are fond of using English-language interfaces for no particular reason, and who are webmasters of websites they can auto-upload to through a Firefox addon, but who also don't care about passwords being sent in the clear to that site they run. Maybe that's a target market of ... half a dozen people?
All that said, the bare guts of this are probably functional, and with not-very-complicated work it should be viable. It needs to: 1) support whatever amazon.[tld] and audible.[tld] site you actually need; 2) stop asking for access to every website; 3) default to saving files locally (either by picking a location with standard UI widgets, or entering a file:/// path); and 4) only ask for a remote upload host if someone wants that (then add that host to the sites it has permission to access, and treat ID and PW info securely).
Developer response
posted 4 years agoHaha, your assessment is almost spot on. I'm the author of this plugin and here are some pointers to why I made some of those bad decisions:
Q1) support whatever amazon.[tld] and audible.[tld] site you actually need:
Yes, totally. I actually verified the scraper to work for amazon.com too but I wasn't too sure how to integrate the many audible sites UX wise. Currently I just check if the library URL of audible.de redirects to the login page. If not: change the icon and stop showing the login link. It should be fairly easy to integrate more audible sites, it's mainly these UX flows that needs to be redesigned.
Q2) stop asking for access to every website:
Yeah.. I'd like to. Thing is, as you noted, this plugin uploads to a self hosted server. I want my half a dozen friends using this plugin to be able to set their own server URL via the plugin UI. That means I can't actually know which sites I have to give this plugin access to in it's manifest. Ideas welcome. On a site note: This isn't actually webdav. It probably should be but I just hacked together some rest API. The server is not even open source (yet?). It's rather simple though.
Q3) default to saving files locally:
I considered adding this functionality, but last time I checked this wasn't really feasible. The file picker is AFAIK not able to pick a folder at all, but only files. There is an experimental FileSystem JS api, but that was pretty much chrome only last time I checked. Would be great to have though, I agree!
Q4) only ask for a remote upload host if someone wants that (then add that host to the sites it has permission to access, and treat ID and PW info securely):
I'd love too, I don't think I can ask for host permissions past the installation though. If you find a way I will fix this. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions Otherwise you could upload a second, more locked down, version of this plugin that only has access to the audible domains. Only makes sense after solving Q3 though.
Re "treat ID and PW info securely": That is actually precisely the point of this extension. It never touches your username, password or even cookies at all. It just piggybacks onto your existing session. It requests audible endpoints. If you are logged in, the browser itself will inject the cookie into the request. If the audible endpoint doesn't redirect us to login we are good. This plugin never comes into contact with your session information and never sends any authentication information to the backup server. Feel free to audit/use from source :) https://github.com/HerrSpace/audible-backup-webextension
Thanks for taking the time to write this and I'm sorry this experience has been so frustrating for you.
Q1) support whatever amazon.[tld] and audible.[tld] site you actually need:
Yes, totally. I actually verified the scraper to work for amazon.com too but I wasn't too sure how to integrate the many audible sites UX wise. Currently I just check if the library URL of audible.de redirects to the login page. If not: change the icon and stop showing the login link. It should be fairly easy to integrate more audible sites, it's mainly these UX flows that needs to be redesigned.
Q2) stop asking for access to every website:
Yeah.. I'd like to. Thing is, as you noted, this plugin uploads to a self hosted server. I want my half a dozen friends using this plugin to be able to set their own server URL via the plugin UI. That means I can't actually know which sites I have to give this plugin access to in it's manifest. Ideas welcome. On a site note: This isn't actually webdav. It probably should be but I just hacked together some rest API. The server is not even open source (yet?). It's rather simple though.
Q3) default to saving files locally:
I considered adding this functionality, but last time I checked this wasn't really feasible. The file picker is AFAIK not able to pick a folder at all, but only files. There is an experimental FileSystem JS api, but that was pretty much chrome only last time I checked. Would be great to have though, I agree!
Q4) only ask for a remote upload host if someone wants that (then add that host to the sites it has permission to access, and treat ID and PW info securely):
I'd love too, I don't think I can ask for host permissions past the installation though. If you find a way I will fix this. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions Otherwise you could upload a second, more locked down, version of this plugin that only has access to the audible domains. Only makes sense after solving Q3 though.
Re "treat ID and PW info securely": That is actually precisely the point of this extension. It never touches your username, password or even cookies at all. It just piggybacks onto your existing session. It requests audible endpoints. If you are logged in, the browser itself will inject the cookie into the request. If the audible endpoint doesn't redirect us to login we are good. This plugin never comes into contact with your session information and never sends any authentication information to the backup server. Feel free to audit/use from source :) https://github.com/HerrSpace/audible-backup-webextension
Thanks for taking the time to write this and I'm sorry this experience has been so frustrating for you.
1 review
There are no reviews