Mozilla pulls password-sniffing Firefox add-on

Clothes peg on nose
Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.

“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.

In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.

And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.

Sign up to our free newsletter.
Security news, advice, and tips.

Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.

Mozilla has now black-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be prompted to remove it.

If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.

In a separate security incident, Mozilla has warned that a security vulnerability exists in a version of the popular CoolPreviews add-on (which displays thumbnails of websites when you hover your mouse over web links). Version 3.0.1 and earlier versions of CoolPreviews are said to be affected.

CoolPreviews add-on

Proof-of-concept code demonstrating how hackers could exploit the flaw to run malicious code on the users’ computer has been published on a Japanese blog.

Mozilla says that currently 177,000 users have a vulnerable version of CoolPreviews installed – and has encouraged all users to update to the latest version as soon as possible in order to avoid exposure to attacks.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.