Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.
“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.
In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.
And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.
Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.
Mozilla has now black-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be prompted to remove it.
If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.
In a separate security incident, Mozilla has warned that a security vulnerability exists in a version of the popular CoolPreviews add-on (which displays thumbnails of websites when you hover your mouse over web links). Version 3.0.1 and earlier versions of CoolPreviews are said to be affected.
Proof-of-concept code demonstrating how hackers could exploit the flaw to run malicious code on the users’ computer has been published on a Japanese blog.
Mozilla says that currently 177,000 users have a vulnerable version of CoolPreviews installed – and has encouraged all users to update to the latest version as soon as possible in order to avoid exposure to attacks.