Tag Archives: Add-on

Firefox ShowIP add-on privacy concerns

Sophos

A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.

Currently over 170,000 people are said to be using ShowIP.

What the add-on’s description doesn’t say is that since version 1.3 (released on April 19th 2012) it has also sent – unencrypted – the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.

The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.

http://nakedsecurity.sophos.com/2012/05/01/privacy-concern-showip-firefox-add-on/

Mozilla blocks ScriptScan Add On

McAfee ScriptScan has been blocked for your protection.

Why was it blocked?
This add-on causes a high volume of crashes.
Who is affected?
Users of McAfee ScriptScan versions 14.4.0 and below for all versions of Firefox and SeaMonkey.
What does this mean?

Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described.

https://addons.mozilla.org/en-US/firefox/blocked/i42

Surfing to the “Add-ons Blocklist” page one is greeted with,

This article is no longer maintained, so its content might be out of date.

Just saying… ;-)

Firefox and Thunderbird 6.0.1 released

https://www.mozilla.org/en-US/firefox/6.0.1/releasenotes/

http://www.mozilla.org/en-US/thunderbird/6.0.1/releasenotes/

If you do not receive an update notice when using the applications, select “Check for Updates” from the Help menu.

Mozilla addons site targeted in same attack that hit Google

“In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users.”

http://www.theregister.co.uk/2011/08/31/more_site_certificates_forged/

Download Firefox 6.0.1
https://www.mozilla.com/en-US/firefox/all.html
Download Thunderbird 6.0.1
http://www.mozilla.org/en-US/thunderbird/all.html

Mozilla outs lethargic add-ons

One I’d already disabled is listed in the top two, 74% slowdown. :-o

Add-ons provide many useful features and functions, but they can also cause Firefox to become slower. Some add-ons can even slow Firefox to a crawl and make it difficult to use for regular web browsing. If you think add-ons might be the reason Firefox is lethargic, check the list below for some of the biggest bottlenecks. And remember, for best performance you should disable add-ons that you no longer use regularly.

Add-ons with Slowest Start-up

The following add-ons have the most impact on how long it takes Firefox to start up.

https://addons.mozilla.org/en-US/firefox/performance/

http://www.wired.com/epicenter/2011/04/mozilla-publishes-list-of-the-50-slowest-firefox-add-ons/

Firefox blocks Skype add-on

Mozilla

The current shipping version of the Skype Toolbar is one of the top crashers of Mozilla Firefox 3.6.13, and was involved in almost 40,000 crashes of Firefox last week. Additionally, depending on the version of the Skype Toolbar you’re using, the methods it uses to detect and re-render phone numbers can make DOM manipulation up to 300 times slower, which drastically affects the page rendering times of a large percentage of web content served today (plain English: to the user, it appears that Firefox is slow loading web pages). We believe that both of these items constitute a major, user-facing issue, and meet our established criteria for blocklisting an add-on.

http://blog.mozilla.com/addons/2011/01/20/blocking-the-skype-toolbar-in-firefox/

Firefox: Two Add-on security vulnerabilities

Mozilla Security Announcement.

Mozilla Sniffer
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

CoolPreviews
A security escalation vulnerability was discovered in version 3.0.1 of the CoolPreviews add-on. The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

Proof of concept code for this vulnerability was posted on this blog, but no known malicious exploits have been reported so far. If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution.

All users of CoolPreviews should update to the latest version as soon as possible in order to avoid exposure.

Currently, 177,000 users have a vulnerable version installed. This is less than 25% of the current install base and it will continue to decrease as more users are prompted to update to a new version. Vulnerable versions will also be blocklisted very soon.

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

NoScript-Adblock Plus mini wars

Posted by: Giorgio, NoScript. 2009-05-04

I screwed up. Big time.
Not just with Adblock Plus users but with the Mozilla community at large.

I did something extremely wrong, which I will regret forever.
I abused the power and wasted the enormous trust capital gained by the NoScript add-on through the years to prevent Adblock Plus from blocking stuff on four internet domains of mine, without asking an explicit preemptive user consent.

This is absolutely inexcusable. Something I would never conceive again for the life of me.

Dear Adblock Plus and NoScript Users, Dear Mozilla Community
http://forums.informaction.com/viewtopic.php?p=2777#p2777

Posted by: Wladimir Palant, Adblock Plus. 2009-05-01

Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far.

Attention NoScript users

Edit: Added links.

Mozilla Blog No Surprises

Surprises can be appropriate in many situations, but they are not welcome when user security, privacy, and control are at stake. Mozilla is committed to guarding these principles, and we feel that a policy should be adopted that explicitly details our stance on these issues in regard to add-on modifications.

We welcome all constructive feedback and comments on this proposal, preferably in the AMO Newsgroup.

FeedSmith Plugin for FeedBurner. Security Update

Potential security vulnerability
Some WordPress plugins that permit the entry of user-entered values, such as older versions of FeedSmith, can be vulnerable to what is called a “cross-site request forgery.” Without getting overly technical, this permits someone to change WordPress plugin settings on your system without you noticing during the time you are signed into your WordPress control panel. And no one wants that.

According to the official FeedBurner weblog, the update was released 10-03-07. However it did not present in v2.3 WordPress as an available plugin update, so I suggest checking the official FeedBurner weblog for such important updates:

http://www.feedburner.com/fb/a/home

Better yet subscribe to their feed.