Mozilla pulled a malicious add-on for Firefox that it says was found to be stealing password information from users. The add-on, Mozilla Sniffer, was downloaded by nearly 1,800 users. Also, Mozilla reports a security escalation vulnerability in the popular CoolPreviews add-on.
Mozilla has removed a malicious, password-stealing Firefox add-on from its
servers and added it to its block list.
The add-on, Mozilla Sniffer, had been in Firefox's library of add-ons
since June 6, and had been downloaded nearly 1,800 times.
"It was discovered that this add-on contains code that intercepts log-in
data submitted to any Website, and sends this data to a remote location," Mozilla
stated in a July 13 advisory. "Upon discovery on July 12, the add-on
was disabled and added to the block list, which will prompt the add-on to be
uninstalled for all current users."
As of July 13, the add-on had 334 active daily users, though it is unknown
if data is still being collected since the site the add-on sends data to is
down, Mozilla said. The company urged all users to uninstall the add-on and
change their passwords as soon as possible.
"Mozilla Sniffer was not developed by Mozilla, and it was not reviewed
by Mozilla," the company said. "The add-on was in an experimental
state, and all users that installed it should have seen a warning indicating it
is unreviewed. Unreviewed add-ons are scanned for known viruses, Trojans and
other malware, but some types of malicious behavior can only be detected in a
In addition to Mozilla Sniffer, the company also temporarily pulled a
popular add-on called CoolPreviews after a vulnerability was discovered. CoolPreviews,
which gets more than 77,000 weekly downloads, allows users to review links and
images without leaving their current page or tab by hovering their mouse
cursor over a link.
CoolPreviews is currently ranked 21st on Mozilla's list of popular Firefox
add-ons. According to Mozilla, a security escalation vulnerability was
discovered in Version 3.0.1.
"The vulnerability can be triggered using a specially crafted hyperlink,"
Mozilla said. "If the user hovers the cursor over this link, the preview
the attacking script control over the host computer. Version 3.0.1 and all
older versions have been disabled on addons.mozilla.org, and a fixed version
was uploaded and reviewed within a day of the developer being notified."
No known exploits of the flaw have been reported, but Mozilla urged all
users of CoolPreviews to update to the latest version as soon as possible.