7.16.2010

Mozilla issues warning over password-stealing Firefox add-on

Mozilla has issued a warning that an add-on for its popular Firefox web browser called "Mozilla Sniffer" is in fact a keystroke logger. The add-on was included within a collection of tools popular within the security community for discovering vulnerabilities in web applications. Mozilla has already yanked the extension from its site; it will also automatically disable the add-on for an estimated 300 over users who have already downloaded it and installed it.

The nefarious add-on was accidentally discovered by Mozilla user Johann-Peter Hartmann, who was using the sniffer add-on to help a friend with some tests. A parallel tool that Hartmann was running detected a connection to an unrelated address. On further exploration, he discovered that the add-on is secretly sending a copy of the URL, password and other details to a site presumably controlled by the hacker.
For now, Mozilla says that the original site where the data was sent to has been taken down. However, it is not known who is behind it and how much data have been previously pilfered. Even so, Mozilla issued the warning that "Anybody who has installed this add-on should change their passwords as soon as possible."
In response to this debacle, Mozilla says that it is currently working on a new security model that will see new add-ons be code-reviewed before being allowed to be hosted on its addons.mozilla.org site.
For more on this story:
- check out this article at The Inquirer
- check out this article at InfoWorld
- check out this article at Netcraft