Mozilla warns of malicious add-ons that send passwords to a third party and execute remote JavaScript code

Mozilla has issued a warning about a Firefox add-on that secretly sent users' stolen passwords to a remote location.

It claimed that a malicious add-on, and another add-on with a serious security vulnerability, were discovered recently on the Mozilla add-ons site. The add-on ‘Mozilla Sniffer' was uploaded on 6th June to addons.mozilla.org. It was subsequently discovered that the add-on contained code that intercepts login data submitted to any website and sent the data to a remote location.

Upon discovery on 12th July, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users. Approximately 1,800 downloads were completed and Mozilla is currently reporting 334 active daily users.

Mozilla has said that it did not develop or review ‘Mozilla Sniffer', and the add-on was in an experimental state, and all users that installed it should have seen a warning indicating it has not been reviewed.

A further warning has also been issued about the ‘CoolPreviews' add-on, as if a user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer.

Mozilla said that version 3.0.1 and all older versions have been disabled on addons.mozilla.org and a fixed version was uploaded and reviewed within a day of the developer being notified. It also said that proof of concept code for this vulnerability was posted, but no known malicious exploits have been reported so far.

Graham Cluley, senior technology consultant at Sophos, commented that this is not the first time that Firefox add-ons have made the security headlines, as it revealed earlier this year that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.

He said: “Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn't enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.

“If you're one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.”

Sign up to our newsletters