0
Mozilla has eradicated 23 Firefox add-ons for monitoring user browsing habits and covertly sending data to remote servers.
The move was prompted by Web Security, a Firefox browser add-on which was found to be tracking web page visits and sending this information to a server in Germany.
The add-on has been downloaded over 220,000 times.
Web Security was originally included in a list of recommended add-ons posted on the official Firefox blog last week.
However, the recommendation was quietly removed after German security researcher Mike Kuketz revealed that the software sends user data to a server over an unencrypted HTTP channel, potentially exposing users to eavesdropping and Man-in-The-Middle (MiTM) attacks.
Mozilla told ZDNet at the time that the issue was being investigated.
Suggestions were also made by Firefox users that other add-ons conducted the same activities, which Firefox has taken seriously.
In a Mozilla Bugzilla update, engineer Jorge Villalobos said that while it is reasonable for some add-ons to check web pages in order to ascertain whether or not they are secure, additional issues were also brought up.
See also: Instagram hack is locking hundreds of users out of their accounts
Data sent in an unsafe manner — such as through the use of HTTP rather than HTTPS — more information than necessary being transferred elsewhere, a lack of disclosure and code which “has the potential of executing remote code, which is partially obfuscated in its implementation” have all raised red flags at Firefox.
TechRepublic: Firefox Quantum: A cheat sheet for professionals
As a result, the Web Security extension was removed as part of a wider purge. The add-ons removed by Firefox have been listed by ID number and include Browser Security, SmartTube, DirtyLittleHelpers, YTTools, and Quick AMZ.
However, after engineers inspected the extensions, it has emerged that multiple add-ons acting under different names all have the “same code,” according to Villalobos.
“Further inspection reveals they may all be the same person/group,” the engineer said.
CNET: Brave browser getting closer to Chrome — including its extensions
The extensions are no longer available to download and current users of the extension will find their add-ons have been disabled.
Update 20.08 BST: Popup Blocker Ultimate was incorrectly included in the list of banned add-ons. This has been corrected accordingly.
Previous and related coverage
Severe vulnerability exposes WordPress websites to attack Google expands bug bounty program to include fraud protection bypass, free purchases Firefox add-on snoops on 200,000 users’ browsing activities
Related Topics:
Security TV
Data Management
CXO
Data Centers
0