Mozilla removed today 23 Firefox add-ons that snooped on users and sent data to remote servers, a Mozilla engineer has told Bleeping Computer today.

The list of blocked add-ons includes "Web Security," a security-centric Firefox add-on with over 220,000 users, which was at the center of a controversy this week after it was caught sending users' browsing histories to a server located in Germany.

Mozilla follows through on the promised investigation

"The mentioned add-on has been taken down, together with others after I conducted a thorough audit of [the] add-ons," Rob Wu, a Mozilla Browser Engineer and Add-on review, told Bleeping Computer via email.

"These add-ons are no longer available at AMO and [have been] disabled in the browsers of users who installed them," Wu said.

"I did the investigation voluntarily last weekend after spotting Raymond Hill's (gorhill) comment on Reddit," Wu told us. "I audited the source code of the extension, using tools including my extension source viewer."

"After getting a good view of the extension's functionality, I used webextaware to retrieve all publicly available Firefox add-ons from addons.mozilla.org (AMO) and looked for similar patterns. Through this method, I found twenty add-ons that I subjected to an additional review, which can be put in two evenly sized groups based on their characteristics.

"The first group is similar to the Web Security add-on. At installation time, a request is sent to a remote server to fetch the URL of another server. Whenever a user navigates to a different location, the URL of the tab is sent to this remote server. This is not just a fire-and-forget request; responses in a specific format can activate remote code execution (RCE) functionality," Wu said. "Fortunately, the extension authors made an implementation mistake in 7 out of 10 extensions (including Web Security), which prevents RCE from working."

"The second group does not collect tab URLs in the same way as the first group, but it is able to execute remote code (which has a worse effect), This second group seems like an evolved version of the first group, because the same logic was used for RCE, with more obfuscation than the other group.

"All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on."

Wu reported these issues to fellow Mozilla engineers, who not only removed the add-ons from the Mozilla website, but also disabled them inside users' browsers.

"Although I could have taken down the extensions myself (as a add-on reviewer at AMO), I did not do so, because just taking down the listings would prevent new installations, but still leave a few hundred thousand users vulnerable to an extension from a shady developer," Wu told Bleeping Computer via email.

List of banned add-ons

A bug report includes the list of all add-ons removed today in Mozilla's purge. The bug report lists the add-ons by their IDs, and not by their names, although Wu provided Bleeping Computer with the names of some add-ons.

Besides Web Security, other banned add-ons include Browser Security, Browser Privacy, and Browser Safety. All of these have been observed sending data to the same server as Web Security, located at 136.243.163.73.

The other banned add-ons include:

YouTube Download & Adblocker Smarttube

Popup-Blocker

Facebook Bookmark Manager

Facebook Video Downloader

YouTube MP3 Converter & Download

Simply Search

Smarttube - Extreme

Self Destroying Cookies

Popup Blocker Pro

YouTube - Adblock

Auto Destroy Cookies

Amazon Quick Search

YouTube Adblocker

Video Downloader

Google NoTrack

Quick AMZ

All in all, over 500,000 users had one of these add-ons installed inside Firefox.

Offending add-ons have been disabled in users' browsers

After a quick test, true to its word, Mozilla has indeed disabled the Web Security add-on in a Firefox instance Bleeping Computer used yesterday for tests. Users of any of the banned add-ons will see a warning like this:

The warning message displayed at the top redirects users to this page, where it provides the following explanation for the ban:

Sending user data to remote servers unnecessarily, and potential for remote code execution. Suspicious account activity for multiple accounts on AMO.

In the bug report, another Mozilla engineer gave additional explanations, consistent with Wu's investigation:

A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited webpages for their security, other issues have been brought up:



1) The add-on sends more data than what seems necessary to operate.

2) Some of the data is sent unsafely.

3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy.

4) The code has the potential of executing remote code, which is partially obfuscated in its implementation.

5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group.

Article updated with the names of other banned add-ons and additional investigation details provided by Wu.