Automatic updates of apps and plugins is usually a good thing for most people to stay secure and up to date. However, the mechanism can also be misused to place a cuckoo's egg on your device before you know it. After it would have happened twice to me in recent months if I had not turned auto updates off I thought I'd write a post about it.
The first time it almost happened was when the author of "ReloadEvery", a Firefox plugin I use to reload some pages every couple of minutes so my login would not expire decided to monetize the plugin and included self installing ad-ware in a new version. Fortunately, I had automatic updates disabled and only found out when I wanted to install it on another computer and was warned by the comments on the plugin page of other users. Older versions were still available for download and I could easily adapt an older non-adware version to my current browser version.
The second time it would have happened just recently was with the ShowIP add-on that suddenly started sending out all IP addresses visited to an external service once the latest version got installed. This time I was warned by a Sophos security post. It caused quite a row and for the moment the download page has reverted back to version 1.0 of the add-on. Go grab the add-on and store it on your PC for later re-installation if you use it while you can because it seems the authors may not have understood the real issue people have with this and have announced "improvements" that still send off the ip addresses to an external server but this time using an encrypted connection.
Anyway, the learnings I take away from this are:
a) Only use auto-update for programs you trust (e.g. OS update, Firefox, Thunderbird, etc) but not for add-ons
b) Be very careful what kind of free apps and add-ons you install PCs and mobile devices
c) Disable auto updates of everything else as sometimes you don't really get what you want.