Why Mozilla Banned 23 Firefox Add-Ons For Mining User Data
The ban hammer is working tirelessly in Mozilla Land, as the non-profit Developer has recently deleted twenty-three Firefox add-ons from their https://addons.mozilla.org/en-US/firefox/ site that Mozilla detected for harvesting data from their users. Rob Wu, the Browser Engineer and Add-on Reviewer for Mozilla said: “The mentioned add-on has been taken down, together with others after I conducted a thorough audit of (the) add-ons. These add-ons are no longer available at AMO (addons.mozilla.org) and (have been) disabled in the browsers of users who installed them. I did the investigation voluntarily last weekend after spotting Raymond Hill’s comment on Reddit. I audited the source code of the extension, using tools including my extension source viewer.”
One of the named malicious add-ons is ironically named: Web security, which claimed to be an add-on that increases the browser’s security in real-time. The said add-on is not a small-time development project, but a professionally-programmed plug-in by a company named Creative Software Solutions (not related to Creative Labs), which already garnered over 220,000 downloads with a rating of 4.5/5.
In full agreement with Rob Wu’s claim, uBlock Origin’s programmer Raymond Hill emphasized: “With this extension, I see that for every page you load in your browser, there is a POST to http://18.104.22.168/. The posted data is garbled, maybe someone will have the time to investigate further.“
Creative Software Solutions on their part has denied the accusation, and commented that they are a GDPR-compliant German company: “One of the security aspects includes checking the requested site against a global blacklist, thus the communication between the client and our servers is unavoidable, while we keep it to an absolute minimum and do not log this communication. Our Servers are all in Germany, thus we are also bound by GDPR and only process data for the specified reasons. Our addon has also been processed by Mozilla’s stringent Verification staff, which have specifically approved all communication that occurs. All data transferred should communicate securely, however as we take these privacy concerns very seriously, I have already informed the developers to investigate the issue at hand, to verify and improve if possible.”
The denial has been countered by Wu, who believes that the malicious functionality is deliberately added as part of the add-ons, meaning it was not an accident. “All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on,” added Wu.
Aside from Web security, the below add-ons were in Mozilla’s deletion crosshairs:
- YouTube Download & Adblocker Smarttube
- Facebook Bookmark Manager
- Facebook Video Downloader
- YouTube MP3 Converter & Download
- Simply Search
- Smarttube – Extreme
- Self Destroying Cookies
- Popup Blocker Pro
- YouTube – Adblock
- Auto Destroy Cookies
- Amazon Quick Search
- YouTube Adblocker
- Video Downloader
- Google NoTrack
- Quick AMZ
Around 500,000+ browser installations of Firefox had these add-ons.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.