Mozilla Pulls Firefox Add-on for Stealing Passwords

Mozilla pulled a malicious add-on for Firefox that it says was found to be stealing password information from users. The add-on, Mozilla Sniffer, was downloaded by nearly 1,800 users. Also, Mozilla reports a security escalation vulnerability in the popular CoolPreviews add-on.

Mozilla has removed a malicious, password-stealing Firefox add-on from its servers and added it to its block list.

The add-on, Mozilla Sniffer, had been in Firefox's library of add-ons since June 6, and had been downloaded nearly 1,800 times.

"It was discovered that this add-on contains code that intercepts log-in data submitted to any Website, and sends this data to a remote location," Mozilla stated in a July 13 advisory. "Upon discovery on July 12, the add-on was disabled and added to the block list, which will prompt the add-on to be uninstalled for all current users."

As of July 13, the add-on had 334 active daily users, though it is unknown if data is still being collected since the site the add-on sends data to is down, Mozilla said. The company urged all users to uninstall the add-on and change their passwords as soon as possible.

"Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla," the company said. "The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, Trojans and other malware, but some types of malicious behavior can only be detected in a code review."

In addition to Mozilla Sniffer, the company also temporarily pulled a popular add-on called CoolPreviews after a vulnerability was discovered. CoolPreviews, which gets more than 77,000 weekly downloads, allows users to review links and images without leaving their current page or tab by hovering their mouse cursor over a link.

CoolPreviews is currently ranked 21st on Mozilla's list of popular Firefox add-ons. According to Mozilla, a security escalation vulnerability was discovered in Version 3.0.1.

"The vulnerability can be triggered using a specially crafted hyperlink," Mozilla said. "If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on, and a fixed version was uploaded and reviewed within a day of the developer being notified."

No known exploits of the flaw have been reported, but Mozilla urged all users of CoolPreviews to update to the latest version as soon as possible.