Mozilla Removes Dangerous Add-On
Mozilla official blog recently announced the removal of an add-on which was transmitting personal and confidential data from users to a remote site.
The add-on is called (or was) Mozilla Sniffer, which it was uploaded on June 6th to the official add-on site from Mozilla. And it was downloaded by 1800 users and 334 had this add-on active. The behavior of this add-on apparently took all of the private browsing data from users (like user names and passwords), and send it to a remote site.
Since Mozilla blacklisted this add-on; all of those who had it working should see this feature disabled from their browsers.
Mozilla also makes a contradictory statement about this situation:
“Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.”
But later in the same article:
“Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site”.
Damn right you’ll be reviewing those add-ons! If you are publishing add-ons, features and options for your product within your site, you should be aware there’s a responsibility behind it.
