Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users

mozilla firefox flaw

The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet.

Mozilla’s Firefox team has blocked add-ons that were abusing the proxy API in order to prevent around 455,000 users from updating their browsers.

In a Monday post, Mozilla’s development team members Rachel Tublitz and Stuart Colville said that they’d discovered the misbehaving add-ons in early June. The add-ons were misusing the proxy API, which APIs use to control how Firefox connects to the internet.

Add-ons are powerful snippets of software that can be added to Firefox or other apps to customize the browser by doing things like preventing tracking, blocking ads, downloading videos from websites or providing content translation.

Infosec Insiders Newsletter

On the flip side, they can be nasty little critters that install malware, like the 28 add-ons for Facebook, Vimeo, Instagram and others that researchers found in commonly used browsers from Google and Microsoft last year. The add-ons were siphoning off sensitive data, had the ability to enable further malware downloads, and were tweaking links that victims clicked on in order to redirect them to phishing sites and ads.

The Firefox team said that the misbehaving Firefox add-ons they found in June – named Bypass and Bypass XM – were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content.

Blocking the Update Blockers

Mozilla has blocked the malicious add-ons in order to keep them from being installed by yet more users.

102621 18:38 UPDATE: For developers waiting on approvals for new add-ons that use the proxy API,  Mozilla is accepting new submissions, as outlined in its blog post. The post also provides recommended settings to Firefox add-on developers to help expedite review for add-ons.

Mozilla has also made a change to how important requests such as update requests get handled by the browser. Starting with Firefox 91.1, if an important request is made via a proxy configuration that fails, Firefox will resort to direct connections instead.

“Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users,” the Firefox developers said.

In addition, the team has deployed a system add-on named Proxy Failover (ID: proxy-failover@mozilla.com) to block similar malicious add-ons. System add-ons – a way to ship Firefox extensions – are hidden, impossible to disable, and can be updated without the need to restart. Proxy Failover has been shipped to both current and older Firefox versions, Mozilla said.

What Firefox Users Should Do

First, make sure you’re running on the latest version, which as of Monday was Firefox 93 or Firefox ESR 91.2. You should be running at minimum the latest release version, Mozilla said. Here’s how to check what version you’re running.

Next, if you’re using Firefox on Windows, make sure that Microsoft Defender is running, Mozilla said: “Together, Firefox 93 and Defender will make sure you’re protected from this issue.”

Mozilla said that those who aren’t running the latest version and who haven’t disabled updates might want to check if they’ve been affected by the malicious add-ons. The first step is to try to update Firefox: Recent versions come with an updated blocklist that automatically disables the malicious add-ons.

If that doesn’t work, Mozilla provided other ways to fix the problem in its post.

What Firefox Add-on Developers Should Do

Mozilla is asking all developers of add-ons that require the use of the proxy API to start including a strict_min_version key in their manifest.json files targeting “91.1” or above, as shown in this example:

“browser_specific_settings”: { “gecko”: { “strict_min_version”: “91.1” } }

“Setting this explicitly will help us to expedite review for your add-on,” the Firefox developers said. “Thank you in advance for helping us to keep Firefox users secure.”

102621 18:38 UPDATE: This story was updated to reflect the fact that Mozilla is accepting new submissions for add-ons that use the proxy API.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles