Mozilla bans 23 snooping Firefox extensions

Martin Brinkmann
Aug 17, 2018
Updated • Aug 18, 2018
Firefox
|
44

Mozilla purged 23 Firefox extensions from the official Firefox Addons website Mozilla AMO and browsers the extensions were installed in today.

The ban affects 23 extensions for Firefox that were installed by more than 500,000 users of the browser. The list includes the infamous Web Security extension that Mozilla highlighted as a "great" privacy extension in a blog post on the official site before deleting any reference without mentioning the fact in the blog post.

Web Security had 220,000 users at that time; other banned extensions include Facebook Video Downloader, Popup-Blocker, Simply Search, Auto Destroy Cookies, or Google NoTrack.

A bug report on the official Bugzilla bug tracking site that Mozilla maintains lists all extension IDs that are affected.

Mozilla Engineer Rob Wu analyzed the Web Security extension after it hit the news. He made the decision to search for Web Security patterns in all publicly available Firefox extensions and found extensions that used similar snooping code. In fact, all extensions were found to send data to the same server that Web Security connected to.

All extensions collected user data and sent the data to remote servers according to Mozilla.

Wu reported his findings to Mozilla which added the IDs of the extension to the blocklist the organization maintains and removed the add-ons from the Mozilla website.

Extensions that land on the blocklist are automatically disabled if they are installed in Firefox and are no longer usable. Firefox's Add-ons blocklist is a public list that anyone can access.

The blocklist has three entries for August 16 and one of them is for Web Security and other add-ons.

Web Security and others -- Sending user data to remote servers unnecessarily, and potential for remote code execution. Suspicious account activity for multiple accounts on AMO.

Mozilla published an explanation why it made the decision to block the extensions for Firefox on Bugzilla:

  • The extensions sent more data to remote servers than seemed necessary.
  • Some of the data is sent across insecure connections.
  • The data collecting and sending is not made clear or disclosed clearly apart from being revealed in a large privacy policy.
  • The potential to execute code remotely is built into the extensions, and partial obfuscation is used to make identification more complicated.
  • Same code exists in multiple add-ons that have different features and different authors. It appears that the same developer or group is behind all these extensions.

Closing Words

Removal of extensions from Mozilla AMO and use of the blocklist feature to get them disabled in Firefox installations was the right move by Mozilla.

One has to ask, however, why these extensions were not blocked from being listed in first place. Mozilla changed the review process for Firefox WebExtensions in 2017 from manual (human) reviews to automatic (computer) reviews. Human reviews are still a thing on Mozilla AMO but extensions can land in the Store when they pass automatic reviews.

While that decreases the time it takes to publish new extensions and extension updates, it also means that the chance that malicious, privacy invasive, or otherwise problematic extensions land in the Store.

Mozilla had to step in several times in the past already, for instance when several crypto mining extensions were unleashed. The system is not nearly as bad as Google's for Chrome extensions, but it is far from being perfectly safe. (via Bleeping Computer)

Now You: What is your take on this?

Summary
Mozilla bans 23 snooping Firefox extensions
Article Name
Mozilla bans 23 snooping Firefox extensions
Description
Mozilla purged 23 Firefox extensions from the official Firefox Addons website Mozilla AMO and browsers the extensions were installed in today.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. John said on August 20, 2018 at 7:58 pm
    Reply

    Mozilla should review extensions with more than X downloads.

  2. lord lestat said on August 19, 2018 at 6:57 pm
    Reply

    Removing extensions… Oh wait, was that not the reason why people have ranted against Pale Moon? Oh well, double standards ;)

  3. marius said on August 19, 2018 at 3:58 pm
    Reply

    Quantity versus quality,imagine my shock!

    1. owl said on August 20, 2018 at 7:17 am
      Reply

      I agree!
      Perfection is a difficult, but trust should not be lacking!
      However, it was more appropriate than Google and Microsoft.
      It is important to analyze what happened and take countermeasures.
      “Do not repeat your mistakes”
      Reliability is a top priority.

  4. Jozsef said on August 18, 2018 at 11:09 pm
    Reply

    Mozilla is, unfortunately, a rudderless ship. I wish I could still believe that their intentions are noble but it looks more like some combination of cynical indifference and egotistical arrogance.

    1. owl said on August 20, 2018 at 6:51 am
      Reply

      Indeed, sometimes feels so.
      But, Google and Microsoft can not be trusted.
      It may not be the best, limited to “Mozilla” is a better choice.
      Funds and human resources are also necessary for business management.
      However, Mozilla is a non-profit foundation corporation.
      “For users” is the spirit of Mozilla.
      “Do not forget the basics.”

  5. Chris said on August 18, 2018 at 8:56 pm
    Reply

    The developer has responded twice. See https://bugzilla.mozilla.org/show_bug.cgi?id=1483995

    1. TelV said on August 18, 2018 at 9:49 pm
      Reply

      That’s all very well Chris, but it doesn’t explain the connection between them and the IP identified in the Martin’s screenshot which is registered to synatix-gmbh.de, a known adware outfit.

      You can download this free tool from Nirsoft to identify the IP address yourself if you don’t believe me: https://www.nirsoft.net/utils/ipnetinfo.html

  6. John Doe 101 said on August 18, 2018 at 3:08 pm
    Reply

    It’s NOT about cookies, it’s about following our Surfbehaviour,….hmm let’s see, what we got here, hmm, what the heck is h-bid.com, eh?

    That’s where the Story goes, i think, we ALL KNOW, what’s going on today but my personal Question is,…even if i see Ads or so called “Werbung”, i am not interested in that, won’t buy anything or look at thing, i NO need.

    So i do NOT understand the Industry, believing Ads will work on people to buy things, that’s in my Mind ridicoulos. Do i not have a personal kind of seeing things i need?

    So, if Mozilla blocks some so called Security Addons, which do spy on you, fine, but that’s NOT the point.

    The Point is you cannot be abolutely invisible through the NET, but u are able to choose some Protection.

    Mozilla itself tracks you, so come on, it’s No Big Deal, if you know what to do.^^

    1. Tom Hawack said on August 18, 2018 at 9:59 pm
      Reply

      John Wanamaker (1838-1922) was a very successful United States merchant, religious leader and political figure, considered by some to be a “pioneer in marketing”. He opened one of the first and most successful department stores in the United States, which grew to 16 stores and eventually became part of Macy’s. He is credited with coining the phrase “Half the money I spend on advertising is wasted; the trouble is I don’t know which half”. (https://preview.tinyurl.com/yacka9yd)

      That’s the whole point and, given planetary business nowadays more than ever, even a little half brings far more than in the old days. Even if 90% of solicited consumers don’t give a damn about ads the other 10% make the business worth spending billions for advertisement. Ad business is upset not because they’re loosing money but because they’re not increasing profits as they would back then : if you run after a taxi you spare 10 bucks but only one by running after a bus.

      Why are people upset with ads? My guess is the amount and frequency, too much, feed-force. And when it comes to the Web, tracking and malvertisement.

    2. TelV said on August 18, 2018 at 9:09 pm
      Reply

      But ads do work! You’ve only got to look at the revenue Google generates from the advertising business to know it’s their biggest source of income: https://www.statista.com/statistics/266249/advertising-revenue-of-google/

      Since the advent of smartphones and Android in particular, advertising revenue has increased exponentially and will continue to do so for the foreseeable future no doubt.

      I often wonder though who these people are who are so subsceptible to ads. I guess a lot of it comes from Facebook and other social media sites and since Google is the most often used search engine, the stuff peeps are looking for are going to appear in the search results no doubt.

  7. Gerard said on August 18, 2018 at 1:44 pm
    Reply

    There are far too many browser extensions in my opinion. I would prefer a shorter list with only properly tested and reviewed extensions.
    I try to use as few extensions as possible and only essential (imho) ones that have been favourably reviewed by several trusted (by me) third parties with a proven track record as reliable and knowledgeable reviewers.

    1. owl said on August 20, 2018 at 6:11 am
      Reply

      I agree with “minimum necessary extensions”, but its choice is not easy.
      The actual situation is unknown, and the information is also scarce.
      Since the user Review is “subjective”, it depends on comprehension degree and preference, so it tends to be far from the truth.
      About the extension (in major category configuration), I feel the need of the article by “ghacks.net”.

  8. TelV said on August 18, 2018 at 11:00 am
    Reply

    From this Github thread it looks as if this issue was known about 12 months ago judging by the last but one comment by “ghost”: https://github.com/nylira/prism-break/issues/1796

    It’s not altogether clear which addon he’s referring to, but presumably it’s to the post by “hasufell” dated December 9, 2017 which contains a link to the AMO site.

    However, that link results in a 404 error now. Also, unless there were two addons with the same name namely “Self-destructing cookies”, I think he got the name wrong since an addon by that name (which I still use incidentally) is still available: https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/

    The topic in the thread was merely intended to be informative to advise users that Self-Destructing Cookies was no longer being maintained.

    1. owl said on August 20, 2018 at 5:21 am
      Reply

      Once upon a time I was using the “Self-destroying cookies”.
      However, because of compatibility issues with Browser, it became “Non-recommended products”, so after that,
      In Firefox and Waterfox uses the “Forget Me Not”.
      Pale Moon is “Cookies Exterminator”.

    2. Tom Hawack said on August 18, 2018 at 11:50 am
      Reply

      hasufell’s link points to ‘self-destructing-cookies-1’ and noted as “add-on has been disabled by an administrator.” on AMO

      The other ‘Self-Destructing Cookies’, the one you mention, points to ‘self-destructing-cookies’ and noted “Not compatible with Firefox Quantum” on AMO

      Whatever, I remember having tested ”self-destructing-cookies’ before Quantum and had noticed it phoned home at Firefox start.

      Several healthy cookie managers available :
      ‘Cookie AutoDelete’, Quantum-ready, good, I’ve used it for some time;
      ‘Forget Me Not’, Quantum-ready, flexible, the best IMO
      ‘Cookie Quick Manager’, Quantum-ready, mainly a cookie editor, which I use together with ‘Forget Me Not’. Excellent cookie editor, edit, create, save.

      1. TelV said on August 18, 2018 at 6:46 pm
        Reply

        I use solely Waterfox these days so Quantum-ready addons don’t interest me.

        But I think the link hasufell pointed to must have been “Self-destroying cookies” since that’s the only one with a similar sounding name which appears in the list on the Bleeping Computer site: https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/

        There are some alternatives to “Self-destructing cookies” mentioned on the “Alternative To” site at: https://alternativeto.net/software/self-destructing-cookies/?license=opensource if you’re interested. In particular Cookies Exterminator sounds promising especially since it’s based of self-destructing cookies according to the developer.

  9. pd said on August 18, 2018 at 9:26 am
    Reply

    Mozilla, Mozilla, Mozilla. How I want to still love you, support you and champion you, as I’ve been doing in my own nano way for a decade or more. But how hard you’re making it. Practically impossible.

    One of the complaints that came out of Mozilla, around the time the were throwing out whatever euphemism they gave their scorched Earth policy change, was that they couldn’t compete with ‘the big three’ browser vendors due to a lack of resources. This is the polar opposite to the attitude that spawned Firefox in the first place, but that’s another story. One might think a benefit of being ‘smaller’ or having fewer resources is they could be more consistent with their policy making. You know, fewer ‘cooks’, fewer inconsistent, dubious decisions? It seems the opposite is the case. Mozilla is making very contrary policy decisions quite often. They claim to take user privacy and security more seriously than others. Or, at least, try to make out that their lack of ‘big data’ involvement and social enterprise orientation means they aren’t beholden to, or oriented towards, abusing user data and security. Yet they make illogical decision like not enforcing human-scrutinised extension verification. It doesn’t take a genius to see the clash of motivations that produced this decision either. Perhaps it takes outsiders though, which is likely the problem. Mozilla doubtless adopted this risky, ‘fast’-review policy to attract extension developers.

    It’s the same sort of decision making that butchered the browser’s biggest differentiating feature: the level of extensibility, and thus customization, in favour of adopting the more limited extension APIs that developers are *seemingly* attracted to with Chrome.

    In the olden days, perhaps before the fascist left thought police forced out Brendan Eich, although that may not be the watermark that’s most meaningful, Mozilla could generally still lay claim to putting users first. That no longer seems to be the case.

    It’s very disillusioning because whilst arguably any open software system can be manipulated for nefarious purposes with enough effort, this sort of incident is a clear black mark for Mozilla. If they really care about user rights, they could consider running an opt-in proxy that scans all user-submitted data, and/or forces it through Mozilla-controlled servers, and ensures nothing unwanted is being transmitted. Not so long ago, such a suggested would seem to be illogical in that it puts Mozilla in an orwellian position of power as the pipe through which all it’s Firefox user data is sent. Alas, this is the web we have ended up with: user data is now an open slather target for all and sundry from ostensibly/unavaoidably trusted ‘responsible’ parties like Google, to nefarious extension developers. Mozilla needs to go further than the belated permissions system that finally exists in Firefox. They need to offer an opt-in, higher-security layer beyond the sideways option of the Privacy Mode. Arguably most users don’t think to open a separate context or window for sensitive activity on the web. Mozilla needs to offer a higher-security option on-the-fly in a similar approach to re-writing the broken / bloated web with Reader Mode. Ideally websites would be authored with highly-contrasting, readable text and minimal distraactions. Reality is, they are not. Hence, Reader Modes. A similar approach is needed for user privacy. Whenever a form action (and the various equivalents such as XHR) is detected in the page and a submit happens, Mozilla should provide users with a clear-as-day, columnar, fixed width font styled overlay that shows *exactly* what data is being sent and to where. The same must be applied to extensions. Users who don’t care and don’t want this interruption can opt out for good. Those who value their privacy and security should be able to untick any data element they do not wish to transmit. If the website action then fails, the user should be presented with a clear explanation and the option to have the site reported to a public database website where dubious website practices are revealed.

    1. Anonymous said on August 18, 2018 at 3:49 pm
      Reply

      “they could consider running an opt-in proxy that scans all user-submitted data, and/or forces it through Mozilla-controlled servers”

      Oh god, please no. Never ever. Opt in or not.
      Web notifications are already centralized through a Mozilla-controlled server before reaching users. Don’t give them more nefarious ideas like that please.
      And you’re suggesting that right at the time they proved their incompetence/disinterest/corruptibility in filtering malware ?

    2. Tom Hawack said on August 18, 2018 at 12:01 pm
      Reply

      I’ve always felt Mozilla as a company organized horizontally typical of a community-wise scheme, with advantages of individual initiative and the disadvantage of disparity due to a lack of centralization. There are contradictions in the company’s way of carrying out projects alongside a clear route which leads to the inconsistencies we observe. I’m convinced there’s good will, there’s no evil and a true Mozilla spirit does exist, that’s not the problem. The problem is keeping the right ratio in the innovation versus route to the disadvantage of a clear horizon : too many engineers working in their little corners with a flagrant lack of a wise decision maker. That’s what happens within communities. You need democracy but a strong executive as well otherwise it becomes chaotic.

      1. TelV said on August 18, 2018 at 8:44 pm
        Reply

        You’d make a good politician Tom!

      2. Tom Hawack said on August 18, 2018 at 9:07 pm
        Reply

        @TelV, i’m far too much of an idealist to be even a manager, so a politician certainly not. But, but, but … if I were it’d be (or have been) De Gaulle rather than Macron, an author: Hugo rather than Balzac, a philosopher: Bergson rather than Sartre, a performer: Beatles rather then The Stones, a blogger: ghacks rather than [confidential], a drink: Pepsi rather than CCola, an airline: PanAm (well, before!) rather than TWA … more to come after the advertisement . My brains go rightwards when my heart leans to the left: crazy mixed-up old man :=)

      3. jan said on August 18, 2018 at 10:55 pm
        Reply

        @ Tom
        I think it is now the time for you, Tom, to put the keyboard aside and see a psychologist. I have observed your occasional escapades; a system restore is surely needed together with a deletion of older log files. Do not delay, do it now. Afterwards you will be thankful you did.

      4. Tom Hawack said on August 19, 2018 at 11:15 am
        Reply

        @jan, time, it’s always a matter of time. Regarding your detailed analysis I’d say that it’s either too late or too early for me. Too late considering that with time we get increasingly reluctant to change ourselves but if we happen to be able to fight back it might be too early if we haven’t yet understood those mental bugs. People like you, committed to our mental health, are a gift of the heavens, helping others to be aware of their madness. Can we be mad and aware of it? When the symptoms are brought to a mad mind quickly enough there is often hope, so be thanked for your enlightenment. I’ll try to take the time for deeper introspection, meditation and remember your wonderful analogy with computing devices, so wisely pertinent.

      5. TelV said on August 18, 2018 at 9:34 pm
        Reply

        Old man? I seemed to recall reading in one of your posts somewhere that you were still at school?

      6. Tom Hawack said on August 18, 2018 at 9:44 pm
        Reply

        Older you get more you realize the amount of what you ignore and behave accordingly as a pupil, my dear :=)

  10. John C. said on August 18, 2018 at 9:14 am
    Reply

    I thought that the big move from Legacy to Webextensions was supposed to make me more secure: “To ensure third-party extensions provide customization without sacrificing security, performance or exposing users to malware, we will require all extensions to be validated and signed by Mozilla starting in Firefox 41, which will be released on September 22nd 2015.” *sigh*

    Well, thanks very much for this article, Martin. Forewarned is forearmed.

  11. Tony said on August 18, 2018 at 8:59 am
    Reply

    Martin, are they just disabled, or are they deleted? It seems to easy to re-enable them if they are just disabled without any warning message.

  12. Suvam4549 said on August 18, 2018 at 7:02 am
    Reply

    Okay. I use AdGuard for most of the blogs I visit. But this blog is simply the best I have come across. Immediately added this to whitelist, reopened all the articles I had read. Clicked on every single Ad I saw on 8 articles. I am unable to donate real money but I can do this, at least. Good luck, Martin & Co.

  13. Waza said on August 18, 2018 at 4:17 am
    Reply

    There’s one individual who’s linked to almost all of these: Fabian Bjorn Simon of Hameln.

  14. Anonymous said on August 18, 2018 at 3:01 am
    Reply

    “Thanks to … Raymond Hill … for conducting much of the investigation and keeping the ball rolling.”

    They should put him in charge of Firefox security.

    1. Chris said on August 18, 2018 at 8:50 pm
      Reply

      @Anonymous Interesting that you would leave out the names of everyone else involved, including the lead developer, Rob Wu, who did most of the work.

  15. k358 said on August 18, 2018 at 12:51 am
    Reply

    As an addition, one can disable the blocklist via ‘extensions.blocklist.enabled’ in about:config, or alternatively use a custom list with ‘extensions.blocklist.url’.

    1. John said on August 18, 2018 at 7:12 am
      Reply

      Why would you want to disable the blocklist that prevents you from using add-ons described as “privacy and security tools” that are actually malware add-ons that compromise both your privacy and your security?

      Mozilla clearly did the right thing in blocking these extensions. That’s not the problem. The problem is that they were approved in the first place, stayed up for a while, and that one even made an official list as being recommended ny Mozilla before anyone looked at the code.

      As Martin said, they really need to go back to checking these things manually. Nothing should go up until a human at Mozilla looks at the code.

      These finally got caught because they were promiment enough to catch a prominent add-on developer’s attention, and he was prominent enough that Mozilla took him seriously. Imagine how much malware with small to medium size userbases could be out there and how long it could sit until someone important sees it and brings it to the attention of someone else who is important?

      1. Anonymous said on August 18, 2018 at 3:34 pm
        Reply

        They used to have time to check if what they promote is malware, they even checked all extensions before, but they changed their priorities some time ago, because they didn’t have enough (wo)manpower left to develop new juicy spyware features.

  16. Decent60 said on August 17, 2018 at 11:17 pm
    Reply

    Hey Martin, another interesting article, but there are a few typos I found (and I don’t see the report button on here anymore so I’ll post them below).

    “A bug report on the official Bugzilla but tracking site that Mozilla maintains lists all extension IDs that are affected.”
    Should be “bug tracking site”

    “All extensions collected user data and sent the data to remove servers according to Mozilla.”
    Should be “to remote servers”

    1. Tom Hawack said on August 17, 2018 at 11:35 pm
      Reply

      Good you mentioned it otherwise we never would have understood the article.

  17. ULBoom said on August 17, 2018 at 10:55 pm
    Reply

    Glad Mozilla reacted, there are only a few browsers left that aren’t primarily data miners anymore. At least the somewhat tech savvy can play with config settings to lock down firefox quite a bit.

    In the 6th paragraph:
    “All extensions collected user data and sent the data to >removeremote< servers, I believe. Removing servers is very, very bad! :)

    1. Tom Hawack said on August 17, 2018 at 11:32 pm
      Reply

      Mozilla reacted, but not on its own initiative.

      According to Bleeping Computer, Rob Wu, a Mozilla Browser Engineer and Add-on review, told Bleeping Computer via email several things among which,

      “I did the investigation voluntarily last weekend after spotting Raymond Hill’s (gorhill) comment on Reddit, I audited the source code of the extension, using tools including my extension source viewer.”

      It had to be that this one Mozilla engineer who happened to investigate, “voluntarily” — after reading a comment on Reddit — to wake up Mozilla and get them to bring down 23 (twenty-three!) similar trash extensions. What does this mean, that extensions’ probity are tied to this one engineer who happens to read a comment on a forum? Are Firefox extensions’ seriousness tied to a lottery? Is it that we were just lucky that a Mozilla engineer, that day, on that forum, happened to discover what a dedicated Firefox extensions’ team should be performing?

      This is IMO a true fault and I can tell you that if I’d consider up to this lucky strike extensions, because on AMO, as secure, I certainly won’t anymore and will be systematically checking each and every extension by myself (download, unzip, dig into the code) before installing them.

      1. Anonymous said on August 18, 2018 at 3:27 pm
        Reply

        One funny thing is that at Mozilla they allow themselves to forbid auto-update of the uBlock Origin adblock scripts because they consider Raymond Hill and extension authors in general so untrustworthy, but it’s Raymond Hill who has to tell Mozilla when their featured privacy extensions allow forbidden remote code execution…

  18. XenoSilvano said on August 17, 2018 at 10:32 pm
    Reply

    *kisses teeth* too little, too late Mozilla!

    both of the following extension I integrated into the browser I use got flagged:

    Browser Security
    Web Security

    I probably would not be using these extensions if it were not recommended by one of you PB

  19. Anonymous said on August 17, 2018 at 9:40 pm
    Reply

    Missing a WARNING at the top of every extension page: /!\ “Dear users, due to the human nature lot of add-ons posted on our (not yours) site could be dangerous for you (not for us), please be carefull BEFORE installing any of them!” /!\

    Without that as the Mozilla advertising is based on “Firefox the best secure browser”, Firefox the best browser concerning privacy” blablabla, many people are in excessive trust (dazzled).

  20. rush said on August 17, 2018 at 9:37 pm
    Reply

    Translation?

    Mozilla Firefox won’t share your data, that they feel… rightfully belongs to them.

  21. Tom Hawack said on August 17, 2018 at 8:57 pm
    Reply

    My take on this is so obvious that I wonder if it’s even worth being mentioned : when Mozilla highlights an extension as a “great” privacy extension to later on ban it because that extension had managed to bypass Mozilla’s automatic process, there’s more than a problem, there’s a fault.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.