Mozilla has Been Banning Firefox Add-Ons En Masse Lately
- Mozilla has banned just shy of two hundred Firefox extensions in the past fifteen days.
- Users who were already using these add-ons on their browsers will see them disabled now.
- More than half of these add-ons were uploaded by a B2B software developer who is now blocked.
According to recent reports, Mozilla’s add-on reviewers have gotten a lot stricter in the past couple of weeks, banning a large number of extensions for the Firefox browser. ZDNet counted 197 Firefox add-ons which were ousted in the past two weeks. The reason for the team showing the exit door to these add-ons is not a change of policy or anything like that, but rather the more intense efforts towards the discovery of malicious behavior. Some were removed from the store on the grounds of executing shady code, others were caught stealing user data, and some were using obfuscation methods to hide parts of their source code for no good reason.
The add-ons have not just been removed but also banned from the Mozilla Extensions Portal, which means that people won’t see them there again. For those who had these add-ons already installed on their browser, Mozilla will permanently disable the extensions. It is noteworthy that 65% of the blocklist entries concern add-ons developed by 2Ring, who is a developer of B2B software. 2Ring's add-ons were engaging in remote code execution, which is obviously unacceptable. Another notable example is six extensions by Tamo Junto Caixa, a Brazilian developer.
While most of the bans don’t name the extensions but only publish their IDs, some were exposed. The known ones are ‘EasyZipTab’, FlixTab’, ConvertToPDF’, ‘FlixTab Search’, ‘WeatherPool and Your Social’, ‘Pdfviewer – tools’, ‘RoliTrade’, ‘Rolimons Plus’, ‘Fake YouTube Downloader’, and ‘FromDocToPDF’. In the case that a developer wants to submit an appeal on the ban, they are allowed to do so. The ‘Like4Like.org’ add-on was the only one from the list that has submitted an appeal so far, denying the allegations of collecting user credentials and social media tokens and sharing them with another website.
We have reported similar cases in the recent past, which goes to show that malicious actors never give up in trying to exploit Firefox users. Last May, we reported about three fake extensions somehow infiltrating the Mozilla store and hitting users with data loggers. Back then, it was their C2 communication that gave away their true nature. Then, in November 2019, Mozilla banned a new batch of Firefox extensions that were caught to engage in remote code execution. The fact that these stories continue to appear shows that actors keep on trying, and the Mozilla team still doesn’t have an effective pre-approval reviewing system in place.