Mozilla tests including Have I Been Pwned in Firefox Watch Now

Mozilla has quietly removed an add-on from a list of recommended browser bolts-on listed on the Firefox official blog after a researcher discovered the software was covertly logging browser histories.

The add-on, called "Web Security," is described as a service which offers "extensive real-time protection and relies on advanced databases" to protect users from being spied on when browsing, the threat of malware, and phishing.

Developed by German firm Creative Software Solutions, Web Security has proved to be popular with over 220,000 installs and an overall rating of 4.5 out of 5.

Due to its high rating and popularity, Mozilla included the add-on in a roundup list posted last week on the official Firefox blog.

The collection originally included 14 add-ons relating to privacy and security. There are now only 13 on the list at the time of writing. However, there is no note or status regarding the removed tool.

When the article was posted to Reddit, uBlock Origin developer Raymond "gorhill4" Hill said:

"With this extension, I see that for every page you load in your browser, there is a POST to http://136.243.163.73/. The posted data is garbled, maybe someone will have the time to investigate further."

Another user suggests that a number of other add-ons included also track page visits.

When it comes to Web Security, German security researcher Mike Kuketz said in a blog post (translated) that the software "sends a lot of "gibberish" when visiting a domain over an unencrypted HTTP connection."

TechRepublic: Why you should be using Firefox Test Pilot

Kuketz said that when he called the URL from his blog, the transmission not only took place via an unencrypted channel at every domain call or change.

A reader then unencrypted the 'gibberish,' discovering that this information is then transmitted to a server in Germany.

"The visited URL as well as the previously visited domain are transmitted," Kuketz said. "And since this also happens unencrypted (without HTTPS or TLS), virtually anyone can cut the traffic and bring it into its original form."

CNET: Firefox makers working on voice-controlled web browser called Scout

This not only could be considered excessive tracking by a privacy add-on and beyond the bounds of reading URLs in order to warn users of malicious or phishing website domains, but also without any protection for communication channels, users may be vulnerable to Man-in-The-Middle (MiTM) attacks and wider surveillance.

Speaking to Bleeping Computer, a Creative Software Solutions spokesperson said:

"One of the security aspects includes checking the requested site against a global blacklist, thus the communication between the client and our servers is unavoidable, while we keep it to a[n] absolute minimum and do not log this communication. Our Servers are all in Germany, thus we are also bound by GDPR and only process data for the specified reasons. Our addon has also been processed by Mozilla's stringent Verification staff, which have specifically approved all communication that occurs. All data transferred should communicate securely, however as we take these privacy concerns very serious[ly], I have already informed the developers to investigate the issue at hand, to verify and improve if possible."

See also: Instagram hack is locking hundreds of users out of their accounts

Until the issues are resolved, users concerned about excessive web tracking should consider disabling the add-on.

Update 11.04 BST: A Mozilla spokesperson told ZDNet:

"We've received concerns from the community about the Web Security extension, and are currently investigating those concerns. The reference to the extension has been removed from the blog post as part of the investigative process."

Previous and related coverage