Firefox axes 23 add-ons, developer pushes back

Mozilla has wiped 23 extensions from its directory of Firefox browser add-ons after finding what it says were inappropriate functions in the code.
The incident follows a report last week that German security add-on ‘Web Security’ had been misbehaving. Mozilla had highlighted the add-on in a blog post promoting a collection of security-focused extensions to the browser. That prompted eagle-eyed techies to pick apart the program and find out exactly what it was doing. They discovered it assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address.
Mozilla did not immediately remove Web Security from its list of available extensions, although it did axe it from the blog post. Then, however, Mozilla engineer Rob Wu dug deeper, analysing the add-on’s code to understand its algorithm. He then checked all other browser extensions in the Firefox portfolio for similar patterns and found 22 of them.
Wu divided the patterns into two groups. The first sends browsing information to a remote server which could potentially launch a remote code execution attack on the client. Several of the now-banned extensions communicated with the same web server as Web Security.
The second doesn’t collect URL information, but is still able to launch a remote code execution attack on the client. This code was heavily obfuscated, said Wu.
Speaking to Bleeping Computer, Wu said:

All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on.

The discovery led Mozilla to take down a total of 23 add-ons from the Firefox extension collection. Going further still, engineers disabled the add-ons in users’ browsers, effectively wiping them from the entire ecosystem.

Developer pushes back

Some of the offending add-ons, including Web Security, came from German software developer Creative Software Solutions. Managing director Fabian Simon is less than impressed with Mozilla’s move. He commented directly on the bug report produced by the Mozilla engineers:

We use the ID to build a security chain that can consist of up to 5 consecutive requests. Should the user enter a malicious website, then the transferred “old URL” and the “new URL” can be used to track from which website the user came to this malicious website.

Malicious pages get a ‘red’ rating, he explained, adding that pages linking to them are tagged ‘yellow’. In addition to the ID and old and new URL data, the extension also sent information labelled ‘hash’, ‘app’, ‘agent’ and ‘language’. He said:

All this data is used to improve our heuristics and threat analysis. The transmitted data is stored for a maximum of 15 minutes on our German servers and cannot be used to identify a natural person.

Simon added that the company would remove this data in the next update.
He ‘fessed up to poor encryption measures in the software, adding that the company has now introduced SSL encryption on the server side and has updated the add-ons to support it on the client side, should Mozilla reinstate them. He concluded:

We regret the incident and would like to have the opportunity to regain the confidence placed in us by the users.

On Sunday, Mozilla had not responded to his comments in that thread.
Regardless of which side you come down on, the incident highlights the fact that browser add-ons can often do things without the knowledge of users. In July, researchers discovered an extensive list of add-ons for both Chrome and Firefox that made a list of every address of every webpage ever visited, combining it with a unique identifier. When it comes to browser privacy, that’s an unequivocal fail.