This article was published on July 14, 2010

Firefox User? Be Aware Of Two More Malicious Add-Ons


Firefox User? Be Aware Of Two More Malicious Add-Ons

Mozilla has released information in an add-on security vulnerability announcement providing details of two serious Firefox add-on vulnerabilities, one stealing all of your personal information and the other allowing an attacker to remotely take over your computer.

The add-ons, called Mozilla Sniffer and CoolPreviews have already been identified by the Mozilla team, so before you start to worry, you will not be able to download them and potentially put your personal information at risk.

The bulletin comes to educate those who have already downloaded Mozilla Sniffer (all 1800 of you) and CoolPreviews (a worrying 177,000 users have the dated add-on installed and haven’t yet upgraded) and list the potential issues associated with installing them.

Mozilla lists the following information:

Mozilla Sniffer

Issue
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Impact to users
If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Status
Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

CoolPreviews

Issue
A security escalation vulnerability was discovered in version 3.0.1 of the CoolPreviews add-on. The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

Impact to users
Proof of concept code for this vulnerability was posted on this blog, but no known malicious exploits have been reported so far. If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution.

All users of CoolPreviews should update to the latest version as soon as possible in order to avoid exposure.

Status
Currently, 177,000 users have a vulnerable version installed. This is less than 25% of the current install base and it will continue to decrease as more users are prompted to update to a new version. Vulnerable versions will also be blocklisted very soon.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Mozilla has taken action to reduce the number of unreviewed add-ons exposed to Firefox users, implementing a new security model for its Add-ons site that requires all add-ons to be code-reviewed before they are discoverable on the site.

If you have either add-on installed, we suggest you either remove them completely or upgrade to the latest version of CoolPreviews in order to reduce exposure to the vulnerability.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with