Password-Stealing Extension Discovered on Mozilla Add-ons Repository

[Peaches]

Password-Stealing Extension Discovered on Mozilla Add-ons Repository

Stole login credentials from users for over a month

Mozilla has banned a Firefox extension that stole users' login credentials for over a month from its add-ons repository. A legit extension was also blacklisted for because of a critical vulnerability that allowed for remote code execution.

"Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users," Mozilla said. The organization explained that the malicious behavior was not detected earlier because this extension had an experimental status. Apparently, such extensions are not subjected to manual code review and are only automatically scanned for known viruses and other malware.

Despite the experimental tag, this add-on was downloaded 1,800 times and had 334 daily active users at the moment when Mozilla was informed of the threat. The site where stolen data was collected is currently offline, but users who downloaded and installed this extension are advised to change all of their passwords immediately.

The second blacklisted extension is a legit one and is called CoolPreviews. This add-on displays a preview of the destination website when hovering the mouse over a hyperlink. However, a critical vulnerability in the 3.0.1 version allows attackers to craft malicious links that would result in the execution of malicious Javascript with elevated privileges.

Details - http://news.softpedi...ry-147495.shtml

[Peaches]

July 14, 2010 4:03 PM PDT

Mozilla disables password-stealing Firefox add-on

Mozilla has disabled and added to a block list a Firefox add-on that stole log-in information when users visited Web sites, the company says.

The software, called Mozilla Sniffer, had been downloaded about 1,800 times in the approximately five weeks it was available on addons.mozilla.org, Mozilla reported in a blog post on Tuesday.

The blocklist will prompt the add-on to be uninstalled for computers running the program. Users who installed it should change their passwords.

Mozilla Sniffer intercepts login data and sends it to a remote server that appeared to be down, according to the blog post.

The software was not developed by Mozilla, nor was it reviewed by the company. Unreviewed add-ons are scanned for viruses, Trojans and other malware, but some malicious activity can only be detected by reviewing the code, Mozilla said.

"We're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site," the company said.

http://news.cnet.com/security/