Mozilla disables login-stealing Firefox add-on
Mozilla, the non-profit organisation behind the popular open source Firefox web browser, has confirmed that it has disabled an extension called "Mozilla Sniffer" after discovering that the add-on intercepted user login data submitted to any web site and sent it to a remote location. According to a post on the Mozilla Add-ons blog, the add-on was uploaded to addons.mozilla.org on the 6th of June and had been downloaded approximately 1,800 times since its submission. The company says that while it currently reports 334 active daily users, the extension has been added to Mozilla's block-list. Users that installed the extension are advised to change their passwords.
The software was not created by Mozilla, nor was it reviewed by the organisation. Mozilla says that, as the add-on was in an experimental state, all users should have received a warning, indicating it had not been reviewed, before installing it. While Add-ons that have not been reviewed are scanned for known viruses, trojans and malware through an automated process, some types of malicious behaviour can only be detected by reviewing the code.
Mozilla also said that it has discovered an add-on with a serious security vulnerability called "CoolPreviews". All versions up to and including version 3.0.1 of the CoolPreviews add-on reportedly contain a security escalation issue that could cause remote code to be executed with local chrome privileges, giving an attacker control over the host system. For an attack to be successful, a user must first click on a specially crafted link.
Approximately 177,000 users, less than 25% of the current install base, have the vulnerable version of CoolPreviews installed. All users are advised to update to the latest release as the vulnerable version will be added to the block-list "very soon".
- Mozilla releases first Firefox 4 beta, a report from The H.
- Mozilla releases Firefox 3.6.6, a report from The H.