One malicious add-on and another add-on with a serious security vulnerability were discovered recently on the Mozilla Add-ons site. Both issues have been dealt with, and the details are described below.
Mozilla Sniffer
Mozilla released an alert about an add-on for Firefox that, when installed, is stealing passwords typed in the browser. Called “Mozilla Sniffer”, the add-on was added to the Gallery of Add-ons on 6th June and removed more than a month later on 12th July.
It was discovered that this add-on contains code that intercepts the login sent to any site, referring the data to another location, announced on Mozilla’s Add-on blog. It’s warned that who installed it must change their passwords as soon as possible. Added to the list of blocked extensions, Mozilla Sniffer was downloaded 1800 times in five weeks during its availability.
Cool Previews
Another add-on which deserves attention is CoolPreviews, 21st in most downloaded list. The previous program versions came with a vulnerability that could be used by hackers to take control of the machine. All were excluded from the site on 24th June and a new version 3.1.0625, with the fix was added in the next day.
The flaw could be exploited from a hyperlink created especially for this purpose. If the user clicks the same, a JavaScript code will be executed, giving the control to the responsible for the attack. CoolPreviews has an average of 79,290 downloads per week. According to Mozilla, last Tuesday, 177,000 people were still using one of the versions with the vulnerability.
Recent Comments