Mozilla Firefox is now flagging the popular Web of Trust (WOT) browser add-on as suspicious and is disabling it by default.
“I just started getting a message from firefox trying to disable and/or delete this app. It is citing some bull about it being unsafe etc. Would the devs please contact firefox and get this resolved or otherwise update their app? I would rather not have to keep manually enabling it. Thanks. I also cannot find the download for the app on this site. If anyone could please redirect me to the latest version so I can see if I indeed am running the latest version that would be great.”
WOT works by sending clickable webpages to a central system while the user browses the internet. That system sources reviews and reputation scores to return a traffic color for each clickable page. If the color is green, that means it’s safe. If it’s red, that means a user should visit the page only at their own risk.
According to WOT, 140 million users employ the browser add-on to ensure a safer browsing experience. It’s therefore not surprising that so many Firefox users were alarmed when they saw this window pop up.
“Web of Trust 20170120 and lower has been blocked for your protection.
“Why was it blocked?
“Versions 20170120 and lower of the Web of Trust add-on send excessive user data to its service, which has been reportedly shared with third parties without sufficient sanitization. These versions are also affected by a vulnerability that could lead to unwanted remote code execution.
“Who is affected?
“All Firefox users who have these versions of the Web of Trust add-on installed.
“What does this mean?
“The problematic add-on or plugin will be automatically disabled and no longer usable.”
Sharing information with third parties? Remote code execution? Sheesh, none of that sounds good. But these issues just arose, right?
Back in the fall of 2016, the German public radio and television broadcaster Norddeutscher Rundfunk (NDR) revealed that WOT creates a user profile of sorts containing a user ID along with the date, time, location, and transmitted webpages.
These profiles, which WOT maintains are anonymous, allowed NDR reporters to deanonymize at least 50 different users using their email addresses, names, and other bits of information. Mike Kuketz, who participated in NDR’s research, confirmed those findings in his own blog post.
Mozilla received word of the report on 1 November 2016. Just one day later, an audit performed by Rob Wu revealed an even bigger problem: the WOT add-on could execute arbitrary code on any page, meaning the company could infect users with malware or steal their banking credentials if it so chose.
Firefox removed the add-on from addons.mozilla.org around the time Wu performed his audit. That Mozilla is now blocking WOT completely suggests it is stepping up its efforts to protect users against malicious activity.
To its credit, WOT said in a forum comment that it’s working on patching the remote code execution bug. But it hasn’t addressed the deanonymization issue. Until it does, it might behoove users to uninstall the add-on and go with a safer alternative.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.