Mozilla revealed that an extension called “Mozilla Sniffer” stole username and passwords from users for over a month. The extension was uploaded to the AMO website (addons.mozilla.org) on June 6th and did nothing more than intercept login credentials for any website and submit them to a third party server.
“Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users,” Mozilla said. The organization explained that the malicious behavior was not detected earlier because this extension had an experimental status. Apparently, such extensions are not subjected to manual code review and are only automatically scanned for known viruses and other malware. Users who downloaded and installed this extension are advised to change all of their passwords immediately.
The second blacklisted extension is a legit one and is called CoolPreviews. This add-on displays a preview of the destination website when hovering the mouse over a hyperlink. However, a critical vulnerability in the 3.0.1 version allows attackers to craft malicious links that would result in the execution of malicious JavaScript with elevated privileges.
A new version containing a fix for this issue has been uploaded to the repository, but Mozilla says that 177,000 users still have the vulnerable one installed. The blocklist update will be pushed to users gradually, however, the check can be triggered manually by opening the Error Console (Tools > Error Console from the Firefox menu or Ctrl+Shift+J), pasting Components.classes['@mozilla.org/extensions/blocklist;1'].getService(Components.interfaces.nsITimerCallback).notify(null) into the Code field and pressing Evaluate.
No related posts.
