YouTube Unblocker add-on caught installing malware

Mar 3, 2016 20:03 GMT  ·  By

Mozilla developers have taken steps to ban the popular YouTube Unblocker add-on after it was caught altering browser security settings and even installing a second add-on without the user's consent.

YouTube Unblocker is a Firefox add-on that allows users to view YouTube videos blocked in their country. It does so by using a collection of proxy servers to reroute YouTube content through countries in which the videos are whitelisted.

This past weekend, a user complained about the add-on exhibiting sneaky behavior, saying that his Avast antivirus blocked a download coming from a third-party website as soon as he installed the YouTube Unblocker add-on.

Rogue add-on was altering Firefox security settings

The user analyzed the add-on's source code and found that the extension was altering the browser's default settings by installing a new user.js configuration file.

This file contained options that disabled Firefox's built-in add-on signing feature. This feature prevents the browser from installing unsigned add-ons that have not been tested (and signed/certificated) by Mozilla. Code signing is recent security feature added to Firefox, which Mozilla deemed necessary to prevent situations like these.

With this feature turned off, YouTube Unblocker was downloading another add-on called Adblock Converter, which Avast flagged as malware.

Things got even shadier because this add-on did not appear in Firefox's standard Add-ons page (about:addons), and it re-enabled itself as soon as the user managed to disable it when starting Firefox in Safe Mode.

The add-on had a history of "bad behavior"

After Mozilla had investigated the user's complaint, YouTube Unblocker was removed from Mozilla's official Add-on portal. When justifying their decision, the Mozilla staff also cited another similar report from June 2015, when the add-on contained self-update code that allowed its operator to update the add-on without going through Mozilla's review process.

The add-on remains available through its homepage. Before being taken down, the add-on was installed on over 250,000 Firefox browsers. Users that want to get rid of the add-on can follow these steps provided by Ghacks.