Skip to content
Naked Security Naked Security

Firefox axes 23 add-ons, developer pushes back

Mozilla has wiped 23 extensions from its directory of Firefox browser add-ons after finding what it says were inappropriate functions in the code.

Mozilla has wiped 23 extensions from its directory of Firefox browser add-ons after finding what it says were inappropriate functions in the code.
The incident follows a report last week that German security add-on ‘Web Security’ had been misbehaving. Mozilla had highlighted the add-on in a blog post promoting a collection of security-focused extensions to the browser. That prompted eagle-eyed techies to pick apart the program and find out exactly what it was doing. They discovered it assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address.
Mozilla did not immediately remove Web Security from its list of available extensions, although it did axe it from the blog post. Then, however, Mozilla engineer Rob Wu dug deeper, analysing the add-on’s code to understand its algorithm. He then checked all other browser extensions in the Firefox portfolio for similar patterns and found 22 of them.
Wu divided the patterns into two groups. The first sends browsing information to a remote server which could potentially launch a remote code execution attack on the client. Several of the now-banned extensions communicated with the same web server as Web Security.
The second doesn’t collect URL information, but is still able to launch a remote code execution attack on the client. This code was heavily obfuscated, said Wu.
Speaking to Bleeping Computer, Wu said:

All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on.

The discovery led Mozilla to take down a total of 23 add-ons from the Firefox extension collection. Going further still, engineers disabled the add-ons in users’ browsers, effectively wiping them from the entire ecosystem.

Developer pushes back

Some of the offending add-ons, including Web Security, came from German software developer Creative Software Solutions. Managing director Fabian Simon is less than impressed with Mozilla’s move. He commented directly on the bug report produced by the Mozilla engineers:

We use the ID to build a security chain that can consist of up to 5 consecutive requests. Should the user enter a malicious website, then the transferred “old URL” and the “new URL” can be used to track from which website the user came to this malicious website.

Malicious pages get a ‘red’ rating, he explained, adding that pages linking to them are tagged ‘yellow’. In addition to the ID and old and new URL data, the extension also sent information labelled ‘hash’, ‘app’, ‘agent’ and ‘language’. He said:

All this data is used to improve our heuristics and threat analysis. The transmitted data is stored for a maximum of 15 minutes on our German servers and cannot be used to identify a natural person.

Simon added that the company would remove this data in the next update.
He ‘fessed up to poor encryption measures in the software, adding that the company has now introduced SSL encryption on the server side and has updated the add-ons to support it on the client side, should Mozilla reinstate them. He concluded:

We regret the incident and would like to have the opportunity to regain the confidence placed in us by the users.

On Sunday, Mozilla had not responded to his comments in that thread.
Regardless of which side you come down on, the incident highlights the fact that browser add-ons can often do things without the knowledge of users. In July, researchers discovered an extensive list of add-ons for both Chrome and Firefox that made a list of every address of every webpage ever visited, combining it with a unique identifier. When it comes to browser privacy, that’s an unequivocal fail.

11 Comments

My guess is none of this was documented publicly by Creative until they were called on the carpet.

“every address of every webpage” – you’d think they’d be satisfied with merely the address of every web page.
Sensationalist headline, BTW: “Firefox axes [some] add-ons”.

The words “developer pushes back” (singular) in the headline caused me to interpret it as meaning: “Developer fights back after his add-ons were booted out by Firefox.”
But I see your point – you can also read it as meaning: “The developer who’s fighting back against the Firefox ban on add-ons.”
I’ll tweak the headline to make it clearer by adding “23”…

At minimum, the add on failed to reveal that it transmits the users live browsing history back to the developer. That’s something people would want to know.

User’s who don’t have a habit of reading their extension’s permissions should be more careful about vetoing which extensions they install and which just aren’t worth the risks. User’s can also use the Project Insight extension to re-review the permissions of extensions that they already have installed.

Fabian Simon was also managing director of several related companies (all German) and has been in the advertising industry for years, according to publicly available data on German company databases.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?