Mozilla has eradicated 23 Firefox add-ons for monitoring user browsing habits and covertly sending data to remote servers.
The add-on has been downloaded over 220,000 times.
Web Security was originally included in a list of recommended add-ons posted on the official Firefox blog last week.
However, the recommendation was quietly removed after German security researcher Mike Kuketz revealed that the software sends user data to a server over an unencrypted HTTP channel, potentially exposing users to eavesdropping and Man-in-The-Middle (MiTM) attacks.
Mozilla told ZDNet at the time that the issue was being investigated.
Suggestions were also made by Firefox users that other add-ons conducted the same activities, which Firefox has taken seriously.
In a Mozilla Bugzilla update, engineer Jorge Villalobos said that while it is reasonable for some add-ons to check web pages in order to ascertain whether or not they are secure, additional issues were also brought up.
Data sent in an unsafe manner -- such as through the use of HTTP rather than HTTPS -- more information than necessary being transferred elsewhere, a lack of disclosure and code which "has the potential of executing remote code, which is partially obfuscated in its implementation" have all raised red flags at Firefox.
TechRepublic: Firefox Quantum: A cheat sheet for professionals
As a result, the Web Security extension was removed as part of a wider purge. The add-ons removed by Firefox have been listed by ID number and include Browser Security, SmartTube, DirtyLittleHelpers, YTTools, and Quick AMZ.
However, after engineers inspected the extensions, it has emerged that multiple add-ons acting under different names all have the "same code," according to Villalobos.
"Further inspection reveals they may all be the same person/group," the engineer said.
The extensions are no longer available to download and current users of the extension will find their add-ons have been disabled.
On Saturday, Web Security provided the following statement:
"Without question, we made mistakes in our free add-ons for which we would like to sincerely apologize. [...]
Encryption (SSL): The communication of our add-ons with the servers was not completely encrypted. This has been fixed on the server side and an update for the add-ons is ready and can be rolled out as soon as Mozilla unlocks the add-ons. [...]
We transfer the following data: - ID - Old URL / old host - New URL / new host - hash - App - Agent - Language. We use the ID to build a security chain that can consist of up to five consecutive requests.
Should the user enter a malicious website, then the transferred "old URL" and the "new URL" can be used to track from which website the user came to this malicious website. With this system, malicious pages get a "red" rating. Pages that link to "red" pages receive a "yellow" rating. All this data is used to improve our heuristics and threat analysis. The transmitted data is stored for a maximum of 15 minutes on our German servers and cannot be used to identify a natural person.
We use to transfer "App", "Agent", "Language" and "Hash" for statistical reasons. As part of the updates, however, this data will be removed in the next update.
In order to avoid ambiguity, we will further clarify the explanations of what data is transferred and what it is used for in more detail.
Remote Code Execution: Unfortunately, in the course of any continuous software development project remnants of old program code are always left behind. Such was the case for us, however, as reported in 7 out of 10 add-ons, this program code was no longer functional. In the past, this feature was used to quickly alert the user of critical threats without having to undergo the time-consuming update procedure. Mozilla's new update policy makes this feature obsolete and this the functionality is no longer in use. With the future update, the remaining fragments will be permanently removed.
In addition, we will improve our quality assurance management to avoid such code snippets or errors in the [future]. We regret the incident and would like to have the opportunity to regain the confidence placed in us by the users."
Update 17.8 20.08 BST: Popup Blocker Ultimate was incorrectly included in the list of banned add-ons. This has been corrected accordingly.