Mozilla Removes And Blocks 2 Firefox Add-ons

Martin Brinkmann
Jul 15, 2010
Updated • Feb 23, 2015
Firefox, Firefox add-ons

It has not happened often in the past that Mozilla had to pull the plug on add-ons hosted on the official Firefox add-on repository. This can be attributed largely to the review process that every add-on added to the site needs to undergo before it is listed.

The developers of the popular Firefox web browser have some tools at their disposal to deal with add-ons that are either malicious in nature or insecure.

A recent blog post on the Mozilla Add-ons blog revealed that Mozilla had to deal with two add-ons falling in those two groups recently.

The first add-on, Mozilla Sniffer, contained code that intercepted and send login information to a remote server on the Internet.

The issue was discovered on July 12, six days after the addition as an experimental add-on on the Mozilla website. The add-on was disabled immediately after a manual code review and added to the global blocklist.

A total of 1800 installations have been recorded prior to the detection, all users who have installed the add-on receive an automatic uninstallation request, triggered by the adding to the blocklist.

Firefox users who have or had the Mozilla Sniffer add-on installed need to change all their login information on all sites they have visited since installing the add-on to prevent possible account access of third parties.

All add-ons that are uploaded by developers to the Firefox add-on repository are scanned for malicious code. A manual review of the add-on follows at a later time. The virus scan did not detect the "phone home" function, so that the add-on was listed as an experimental add-on on the public website.

It is obvious that this verification process is flawed. It might not happen often that malicious add-ons pass the initial scan but it has happened in the past.

Back in February two add-ons were discovered in the add-on repository that contained malicious code. Mozilla back then increased the number of malware scanners and the frequency of the scans.

A new security model has been proposed which changes the review process so that only code-reviewed add-ons are visible to Firefox users on the add-on's website.

Cool Previews was the second add-on the Mozilla developers had to deal with. A critical security vulnerability was discovered in version 3.0.1 of the add-on, installed by more than 170k users.

The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer.

Version 3.0.1 and earlier of Cool Previews have been disabled after the discovery. The developer of Cool Previews managed to update the add-on within a day of notification, the new version is already available on the Mozilla website and as an update.

Add-on updates are displayed automatically to Firefox users. Additional information are provided at the Mozilla blog post.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Prophet said on July 16, 2010 at 6:21 am

    The first add-on, Mozilla Sniffer, contained code that intercepted and send login information to a remove server on the Internet.

    REMOTE server I take it? :)

    1. Martin said on July 16, 2010 at 8:58 am

      Prophet you are right, edited it, thanks for finding the typo.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.