Firefox add-on exposes visited URLs
Sophos's Graham Cluley reports that the ShowIP add-on for Mozilla's Firefox browser sends the URLs of visited web pages to a web service called ip2info.org in unencrypted form. Apparently, the browser extension doesn't restrict this behaviour to the normal browsing mode, it also transmits URLs that are accessed via HTTPS and any sites that are visited while in "Private Browsing" mode.
ShowIP displays the IP addresses (IPv4/IPv6) of the current web page in the browser's status bar and gives access to querying services such as whois and Netcraft. The extension is particularly popular with network administrators and developers; according to Mozilla, the add-on has been installed by nearly 170,000 Firefox users.
The described behaviour was first observed in version 1.3 of the GPLv2-licensed add-on, which was published on 19 April, and remains in newer releases. Many users have complained about the privacy violation on Mozilla's add-on page – the ShowIP Dev Team, the developer of the add-on, responded by explaining that the add-on sends the URL to the server "to access the ip2location database" and promising that HTTPS will be added as soon as possible.
According to its WhoIs entry, the ip2info.org service is owned by the "Hats on Marketing UG" marketing and SEO agency, a subsidiary of efamous GmbH. Apparently, the company took over the development of the add-on from the original developer, Jan Dittmer.
Mozilla has since responded by rolling back the available version of ShowIP on the Mozilla Add-ons site to version 1.0 and says it is working with the developer to address the issues.
(crve)