- A number of Firefox add-ons were caught sending user history data to private servers, and are now removed by Mozilla.
- All of the reported add-ons were audited individually by Mozilla before they were banned for breaching user privacy and violating privacy policies in place.
- The add-ons have been disabled for users who installed them, and they will no longer be able to collect user data.
Multiple widely used Firefox add-ons were reported to be snooping on user data and sending them to private servers recently. The biggest offender identified by Mozilla was ‘Web Security,’ which was downloaded by over 220,000 users from the official add-ons store. Web Security and 22 other add-ons were caught sending URLs from users’ Web histories to remote servers. Plugins Web Security, Browser Security, Browser Safety and Browser Privacy were guilty of sending the stolen data to the same server.
Mozilla Browser Engineer Rob Wu analyzed the violating apps and audited their code. The add-ons are currently disabled, and Firefox users will no longer have to worry about their browsing histories being sent to unknown organizations. Wu revealed that he used ‘Webextaware’ which is a Web extension and security analyzer made by Mozilla. He identified problematic add-ons and put them under an additional review.
The first category of privacy-breaching Mozilla Firefox add-ons sent URLs sent requests to remote servers to fetch users from every user’s browsing history. They used remote code execution functionality, and due to multiple flaws in how they were coded, 7 out of 10 banned extensions were unable to implement the data theft properly.
The second group of add-ons used code obfuscation, which allows the malicious data breaching code to be mixed with legitimate code spread across multiple locations and files. A number of misleading identifiers were found which made it obvious that the extensions were guilty of stealing user data. Mozilla released a list of add-ons that have been removed from Firefox.