Password-Stealing Extension Discovered on Mozilla Add-ons Repository

Mozilla has banned a Firefox extension that stole users' login credentials for over a month from its add-ons repository. A legit extension was also blacklisted for because of a critical vulnerability that allowed for remote code execution.

In an announcement posted on its official Add-ons blog, Mozilla revealed that an extension called “Mozilla Sniffer” stole username and passwords from users for over a month. The extension was uploaded to the AMO website (addons.mozilla.org) on June 6th and did nothing more than intercept login credentials for any website and submit them to a third party server.

“Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users,” Mozilla said. The organization explained that the malicious behavior was not detected earlier because this extension had an experimental status. Apparently, such extensions are not subjected to manual code review and are only automatically scanned for known viruses and other malware.

Despite the experimental tag, this add-on was downloaded 1,800 times and had 334 daily active users at the moment when Mozilla was informed of the threat. The site where stolen data was collected is currently offline, but users who downloaded and installed this extension are advised to change all of their passwords immediately.

The second blacklisted extension is a legit one and is called CoolPreviews. This add-on displays a preview of the destination website when hovering the mouse over a hyperlink. However, a critical vulnerability in the 3.0.1 version allows attackers to craft malicious links that would result in the execution of malicious JavaScript with elevated privileges.

A new version containing a fix for this issue has been uploaded to the repository, but Mozilla says that 177,000 users still have the vulnerable one installed. The blocklist update will be pushed to users gradually, however, the check can be triggered manually by opening the Error Console (Tools > Error Console from the Firefox menu or Ctrl+Shift+J), pasting Components.classes['@mozilla.org/extensions/blocklist;1'].getService(Components.interfaces.nsITimerCallback).notify(null) into the Code field and pressing Evaluate.

You can follow the editor on Twitter @lconstantin