Mozilla pulls password-sniffing Firefox add-on
July 15, 2010 by admin
Filed under Security News
24 views Leave a Comment
Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.
“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.
In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.
And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.
Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.
Mozilla has now block-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be promoted to remove it.
If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.
Related posts:
- Mozilla admits Firefox add-ons contained Trojan code
- Critical flaws fixed in Firefox 3.5.4
- Firefox Patches Black Hat SSL Encryption Vulnerability
- German Government: Don’t use Firefox
- Critical Firefox security hole fixed – have you updated?
