A wave of malware add-ons hit the Mozilla Firefox Extensions Store

[harlan4096]

If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions.

Extensions like Adobe Flash Player or ublock Origin Pro are listed in the Mozilla AMO store currently. These have no users at the time of writing as they are brand new and they appear to have been created and uploaded by random users (Firefox user xyz).

The extensions have no description and they require access to all data for all websites. When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file.

The actual extensions have different file sizes and their functionality may differ as well. All have in common that they listen to certain user inputs and send these to a third-party web server.

The uBlock copycat extension sends form data to a web server, the first Adobe Flash Player copycat that I checked logged all keyboard inputs and did the same.

Mozilla will remove the extensions once it notices them. The problem here is that this happens after the fact. The spam extensions may turn up in user searches and they also turn up when you sort by recent updates.

Mozilla switched from a "review first, publish second" to a "publish first, review second" model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program.

Google does the same thing but does not even review extensions manually after publication. The process leads to faster publications but also opens the door for spam and malicious extensions.

Continue Reading