Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Firefox Mozilla Privacy Security IT Technology

Mozilla Has Banned Nearly 200 Malicious Firefox Add-ons Over the Last Two Weeks (zdnet.com) 28

Posted by msmash from the better-security-guards dept.
Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code. From a report: The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them. The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server. According to Mozilla's rules, add-ons must self-contain all their code, and not download code dynamically from remote locations. Mozilla has recently begun strictly enforcing this rule across its entire add-on ecosystem. A similar ban for downloading and executing remote code in users' Firefox browsers was also levied against six add-ons developed by Tamo Junto Caixa, and three add-ons that were deemed fake premium products (their names were not shared).
This discussion has been archived. No new comments can be posted.

Mozilla Has Banned Nearly 200 Malicious Firefox Add-ons Over the Last Two Weeks More

Mozilla Has Banned Nearly 200 Malicious Firefox Add-ons Over the Last Two Weeks

Comments Filter:

  • Was the (Score:3)

    by thereddaikon ( 5795246 ) on Monday January 27, 2020 @01:44PM (#59661308)

    B2B software actually malicious or just another case of a lazy dev who failed to keep up with standards?

    • Re: (Score:3, Insightful)

      by sehlat ( 180760 )

      B2B software actually malicious or just another case of a lazy dev who failed to keep up with standards?

      It doesn't matter which case (malice or laziness). Either the code is included or it's downloaded. If it's included, there's only one attack surface: your machine. If it's not, then the remote machine is also in the game. That doubles your attack surface right there.

  • google needs to do the same (Score:5, Insightful)

    by FudRucker ( 866063 ) on Monday January 27, 2020 @01:58PM (#59661398)
    they need to clean up the Google Play Store for android because there is way too much crap adware labeled as free, and i believe if it serves advertising then it is NOT free, it is being paid for by the user allowing this crap turn their phones and tablets into platforms for advertising,

    • Re: (Score:2, Interesting)

      by shanen ( 462549 )

      You say it so badly that you don't deserve any mod points. Let me try to word it more clearly in terms of a solution that could be implemented.

      The FINANCIAL information for apps (though it should be focused on Firefox Add-ons for this story) should be made visible so that criminal apps find it harder to hook suckers. The financial information should have two sections. One is from the developer and in most cases would just be selecting from a menu of the standard business models. If the developer is doing so

    • That's why I only install 2 apps from there, Firefox and the F-Droid app repo app.

      Appers app and app, and when they want to stop, no, they're still apping, because their apps also apped, and those app-apps don't want to stop apping.

  • Details (Score:5, Informative)

    by BringsApples ( 3418089 ) on Monday January 27, 2020 @02:13PM (#59661480)

    It'd be so nice to know which add-ons, so here's a list of GUIDs that they're talking about (Mozilla listed only the add-on IDs, not their names, so add-on developers can appeal the ban and remove the malicious behavior).

    In order to view the extension ID on extensions that you have installed, do the following:
    Open about:memory. Click "measure" in Show memory reports. In the Main Process section, scroll down to Other Measurements. There you will find the installed (active) extensions with their names and their ids displayed as baseURL=moz-extension://[random-ids].

    This method works for both Firefox and Firefox for Android. Note that only enabled extensions are shown.

    Here's the list of IDs that Firefox found to be malicious:

    {5335fd1c-3baf-4578-b339-516dbdcec832}
    {1bf381aa-a819-4067-a537-eadb0d6538ba}
    {0e3703a0-46ae-4d18-bd04-8f8f570fdb77}
    {b350dc7e-cfcc-4ffe-9225-9feefe922bdb}
    {eeb3bf29-f1db-4f75-a6cb-8675ace58390}
    {9a216bb4-d664-4535-baef-ee1f4db012d2}
    {293476ee-263e-4cad-8dc4-2fe03209adc7}
    {622303be-705e-4247-bc2e-9016d8867e3d}
    {6ac09a19-8de3-418f-a4e1-1ee3e8810990}
    {3acb1e80-e126-4024-840f-3297659f9448}
    {44e3f210-6036-4364-90b9-3e8bb6fb3d98}
    {51e7e0fa-69e1-43f8-9578-d8372c2885b7}
    {1c2393b0-f2f7-497d-a34e-399dc6002d26}
    {a6a02c49-fafc-45d0-bb60-9f940a64c99a}
    {02a0090d-026a-4d02-a530-1b4d96e80c14}
    {9a988579-6773-48c2-91ab-8e917b20ab90}
    {22dfee7d-aa7c-4765-95e6-e81513cc7d37}
    {8c6d03f8-db65-4d5c-8431-ff66365847c4}
    {168b7acd-43d3-46d5-b76a-de3139dd9570}
    {abc95bbf-2548-4bf3-a0b9-9cb028496277}
    {d1282b8a-c467-4b02-9c11-e63e614ee8a8}
    {338422e6-bcf6-4171-9541-1c0f8c3dc3db}
    {10d5b345-535a-472b-8e8f-4f1a1cec9f2b}
    {64813672-8b55-4ac3-8dd2-c1da80132b77}
    {00e7df6e-7a0f-44d1-9fc1-0ddbdb473f4e}
    {564c2b95-b70b-4243-84dd-21fead791642}
    {71deda20-495f-4061-9c90-f46d1f7dfedd}
    {054d7610-9edb-47a7-af57-aed4be023015}
    {2b3f6877-99b0-4d35-8b85-9f75dd53ac92}
    {299f2568-3330-4466-8b47-4240643f8200}
    {077ead0f-8e84-4d6e-8fb1-a22126f9bf4f}
    {8ae52853-efd8-4d3d-b8f4-f70b048a389c}
    {36321783-e1c3-4f95-859a-d1c88eb75327}
    {7f878add-6b95-4b57-ab16-d8688819373a}
    {10148e15-b7f7-43bd-89c0-01957aad8188}
    {65e3540e-c3d9-4831-9dbf-598f2ef38d7f}
    {6fe77565-de36-4d06-ae30-59e3c98fc974}
    {7c79599d-ddde-4f62-9561-3c7aaea788a6}
    {d2fb1b99-98c4-48ea-ac43-8d729a1a8963}
    {38387674-fcc2-4292-a20b-08931ea0936e}
    {f00678a9-4b60-4a24-bdb0-4ce6c960cd28}
    {15d08bce-4f8a-451f-bdb5-5d1f720dde7d}
    {3a1da641-0fcc-4c06-b4b9-21d8d5dd3720}
    {6b7a8c7d-3956-4ac3-8c98-423a0bed1d75}
    {28f786b3-64a1-4152-9629-efabdede0b4c}
    {b1535617-e25a-48fe-b47d-c57affc65d5a}
    {255f303c-d5ce-47af-a925-1ad2c84c710f}
    {0ab25c60-4750-45f1-85f2-913440d6c6fc}
    {6cf0ef3e-d911-44c0-8b58-7abcb99d0243}
    {991c3933-0b3b-49f5-b3a3-1a60bf62f269}
    {bc5e31d7-42da-49c2-9624-1b4d5707b5ec}
    {8d8320f0-df3c-48f1-8839-f6969cbd3c17}
    {35f35aaa-506e-41d4-8468-3c4f4a56b434}
    {f1f6e2bb-32d1-4d79-8e5a-659e5af15b78}
    {1109f231-559f-44dd-bd84-85fac05f845b}
    {b6111372-b58f-4130-a6ae-a1445a196d85}
    {b21099c0-e496-443b-8d43-610a9aae60fb}
    {d8a40da5-bbca-417e-9ea5-e77332739366}
    {5dcaea9a-e152-4667-a4d5-b29f5afe9e61}
    {98b95d2a-1de8-4234-a73f-568531785850}
    {b11ad72d-2f64-4494-9f5e-6ad2e36bfc16}
    {3503a09e-76e5-4fba-8d65-d8bbb198b2c1}
    {f45fac5e-f3b0-4932-8c8b-254c6dcd3219}
    {4210d4ec-9e2a-40d1-83de-53a9728c01d5}
    {10691e9c-7399-4fb2-b824-256ed6c8c08e}
    {148338c2-ee0d-4659-baed-5b9aca28407f}
    {f3a2a32b-ec49-4fc5-bb46-f00f86d4cbff}
    {425bd894-b282-4a58-a2d0-3054fe3fd856}
    {7ccc3a62-7f92-4a1e-8e32-af734721a136}
    {91c939ae-00db-400d-a814-a964dc85fcf8}
    {83fdf43f-c064-4ae0-ac5f-6668fca576b0}
    {824f975f-a740-47d5-b4c8-0868fdcb154f}
    {2404f236-28ae-4852-b50d-50e66312f69f}
    {3f307709-bdf8-4dc5-afd7-4aaeb2a85176}
    {24f3c174-f09b-41fe-8c26-dfc051b2f352}
    {ecb81864-05bd-45f9-a1a3-5f56ad62c1c0}
    {fecad0e5-5f8c-4539-8893-9a4c9e4ab567}
    {03badfb9-bba5-4a3b-ae1e-0bde1bef38f3}
    {1f2defb6-af80-4822-b1d2-816c0575dd8b}
    {195450ff-84

  • Lead to more centralized points of a failure. I also noticed the new Chromium Edge extension store has been flooded with spam apps but Microsoft obviously doesn’t care. The death of XUL means there is no incentive to make quality extensions anymore so spam developers just make the lowest common denominator necessary to get hooks into your personal data.

    We will never go back to the glory days of extensions with Firefox 1.0-3.6, Mozilla has drunk the Chrome aid.

    • Re:The consolidation of browsers (Score:5, Insightful)

      by slack_justyb ( 862874 ) on Monday January 27, 2020 @03:32PM (#59661802)

      We will never go back to the glory days of extensions with Firefox 1.0-3.6, Mozilla has drunk the Chrome aid

      This is so confusing considering this article that you are commenting on. The "glory days" of Firefox add-ons had zero sense of security. Everything ran in a single process. Every bit of information was visible to every other bit of information. The biggest thing that the old makers lament was the new restrictions on access to data within Firefox. That's what made the add-ons so "powerful" so to say, there wasn't any kind of limitation on what any specific add-on could get a hold of. And therein also lies the problem. Since none of it was separated, any add-on or webpage could ultimately bring the other down. There wasn't any kind of separation. XUL is just an XML file for explaining an user interface and the interactions required for it.

      For what it's worth, XUL could have been replaced by XAML, JavaFX, or even a Glade file. The actual language that was used is irrelevant. What was broken with old Firefox was the level of access that was afforded to the add-on system and that system's heavy reliance on being single process. It might have been a great idea when Netscape originally developed it back in late 1990s but in a word where webpages became applications the implementation of the old add-on system is suicidal.

      I see these posts often about lamenting the "glory days" of Firefox add-ons and all I can say is that those wistful memories of days gone by are at best rose tinted. Add-ons back then sucked and they used every ability to suck your CPU cycles dry. The best Firefox was one where if you really needed it, you'd put your add-ons in a separate profile and leave a vanilla clean profile as your daily driver. And if you really wanted to still go down that path, IceWeasel, Pale Moon, and so on are still there for you. But add-ons with your daily driver in the pre-4.0 days was just asking to watch your browser crumble and come to a crashing halt on a pretty regular basis. So many folks forget how absolutely common it was to watch Firefox just segfault on a routine basis.

      • The thing is you could CHOOSE what addons to get.

        Now your browser comes with all sorts of baked-in tracking and sponsored bullshit. Features that should be handed off to the OS (or just not exist) keep creeping in, presenting more attack surface and bloat. Oh, and DRM is now officially part of the "open" web. And your browser now has a fucking store where you can get back some of functionality that they took away from you. Except the functionality is crippled and add-ons have to be approved and sanctione

      • Everything ran in a single process.

        For the most part it still does. Firefox and Chrome are still moving towards "true" mutli-processing, but ultimately they use a lot of hacks to save system resources. I have run into many instances with Chromium browsers where if one process hangs, every window implodes. I was quite surprised to learn that most of the multi-process stuff in modern browsers is just marketing BS.

        But add-ons with your daily driver in the pre-4.0 days was just asking to watch your browser crumble and come to a crashing halt on a pretty regular basis.

        I haven't had Firefox or PaleMoon crash in years. I can't even remember the last time it happened. Perhaps if modern browsers w

  • This wouldn't be a problem if Mozilla hadn't made it possible to be so.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close