... I mean, how can this possibly have happened.
Everyone knows that all OSS is thoroughly reviewed and vetted by all OSS consumers and contributors and that many eyes ensure that no bugs nor deliberate malware can possibly creep into an OSS source tree, right?
Right.
Mozilla has yanked a password-stealing browser add-on after the discovery that the add-on contains code that intercepts login data submitted to any website and sends this data to a remote location.
The add-on, called Mozilla Sniffer,” was uploaded to the addons.mozilla.org site on June 6. “Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users,” Mozilla explained.
The intercepted data included user passwords:
If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.
The open-source group said Mozilla Sniffer had been downloaded approximately 1,800 times and reported 334 active daily users.
All current users of the malicious add-on will receive an uninstall notification.
Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.
[ SEE: Microsoft exposes Firefox users to drive-by malware downloads ]
Mozilla plans to implement a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are available on the site.
Mozilla said a second add-on, called CoolPreviews, contains a vulnerability that exposes users to hacker attack.
[The] vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.
[ SEE: Firefox hit by malicious add-ons ]
“If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution,” the group warned..
About 177,000 users have a vulnerable version of CoolPreviews installed. Mozilla plans to blacklist the vulnerable versions soon.
