Search the Community

Mozilla ends Promoted Firefox Add-ons Program Mozilla Add-ons Product Manager Jorge Villalobos announced the end of Mozilla's Promoted Add-ons pilot for the Firefox web browser on January 21, 2021. The organization decided not to move forward and make the program a permanent feature of the browser's add-ons ecosystem. After reviewing the pilot results, we have decided not to move forward with this iteration of the program. Mozilla introduced the program in September 2020 as a pilot program called Promoted Add-ons. The main idea was to provide developers with an option to get their add-ons promoted by Mozilla, and for Mozilla to extend the number of add-ons that would get reviewed through payments made by accepted developers. Selected add-ons would get manual reviews and as a consequence, if successful, a verified badge on the add-ons profile page and Mozilla's Add-ons homepage. Up until that point, only extensions selected by Mozilla for its Recommended Extensions program would be code-reviewed by the organization and would receive these batches to increase user trust in them. The Recommended Extensions program created a two-tier add-ons system, with verified extensions on one side and all other extensions on the other. Verified extensions would get promoted, some included in Firefox for Android, and all other extensions display a scary message when opened with Firefox stating that the extension is not monitored by Mozilla and that users should only install trusted extensions. Participation was free of charge during the pilot, but the idea was to evolve the pilot into a paid service that developers could utilize to get extra exposure for their add-ons; this won't happen as Mozilla decided to end the program entirely. Mozilla provides no explanation why it decided to end the program. The program has been criticized since its introduction. Some feared that it would allow companies with deep pockets to buy promotions and cause some developers to stop developing add-ons for the browser. Source: Mozilla ends Promoted Firefox Add-ons Program

A wave of malware add-ons hit the Mozilla Firefox Extensions Store If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions. Extensions like Adobe Flash Player or ublock Origin Pro are listed in the Mozilla AMO store currently. These have no users at the time of writing as they are brand new and they appear to have been created and uploaded by random users (Firefox user xyz). The extensions have no description and they require access to all data for all websites. When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file. The actual extensions have different file sizes and their functionality may differ as well. All have in common that they listen to certain user inputs and send these to a third-party web server. The uBlock copycat extension sends form data to a web server, the first Adobe Flash Player copycat that I checked logged all keyboard inputs and did the same. Mozilla will remove the extensions once it notices them. The problem here is that this happens after the fact. The spam extensions may turn up in user searches and they also turn up when you sort by recent updates. Mozilla switched from a "review first, publish second" to a "publish first, review second" model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program. Google does the same thing but does not even review extensions manually after publication. The process leads to faster publications but also opens the door for spam and malicious extensions. Closing Words Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla's AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process. Google's Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome's popularity and the fact that Google does not review any extensions manually by default play a role here. While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a "manual reviewed" batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository. Source: A wave of malware add-ons hit the Mozilla Firefox Extensions Store (gHacks - Martin Brinkmann)

Mozilla removed today 23 Firefox add-ons that snooped on users and sent data to remote servers, a Mozilla engineer has told Bleeping Computer today. The list of blocked add-ons includes "Web Security," a security-centric Firefox add-on with over 220,000 users, which was at the center of a controversy this week after it was caught sending users' browsing histories to a server located in Germany. Mozilla follows through on the promised investigation "The mentioned add-on has been taken down, together with others after I conducted a thorough audit of [the] add-ons," Rob Wu, a Mozilla Browser Engineer and Add-on review, told Bleeping Computer via email. "These add-ons are no longer available at AMO and [have been] disabled in the browsers of users who installed them," Wu said. "I did the investigation voluntarily last weekend after spotting Raymond Hill's (gorhill) comment on Reddit," Wu told us. "I audited the source code of the extension, using tools including my extension source viewer." "After getting a good view of the extension's functionality, I used webextaware to retrieve all publicly available Firefox add-ons from addons.mozilla.org (AMO) and looked for similar patterns. Through this method, I found twenty add-ons that I subjected to an additional review, which can be put in two evenly sized groups based on their characteristics. "The first group is similar to the Web Security add-on. At installation time, a request is sent to a remote server to fetch the URL of another server. Whenever a user navigates to a different location, the URL of the tab is sent to this remote server. This is not just a fire-and-forget request; responses in a specific format can activate remote code execution (RCE) functionality," Wu said. "Fortunately, the extension authors made an implementation mistake in 7 out of 10 extensions (including Web Security), which prevents RCE from working." "The second group does not collect tab URLs in the same way as the first group, but it is able to execute remote code (which has a worse effect), This second group seems like an evolved version of the first group, because the same logic was used for RCE, with more obfuscation than the other group. "All of these extensions used subtle code obfuscation, where actual legitimate extension functionality is mixed with seemingly innocent code, spread over multiple locations and files. The sheer number of misleading identifiers, obfuscated URLs / constants, and covert data flows left me with little doubt about the intentions of the author: It is apparent that they tried to hide malicious code in their add-on." Wu reported these issues to fellow Mozilla engineers, who not only removed the add-ons from the Mozilla website, but also disabled them inside users' browsers. "Although I could have taken down the extensions myself (as a add-on reviewer at AMO), I did not do so, because just taking down the listings would prevent new installations, but still leave a few hundred thousand users vulnerable to an extension from a shady developer," Wu told Bleeping Computer via email. List of banned add-ons A bug report includes the list of all add-ons removed today in Mozilla's purge. The bug report lists the add-ons by their IDs, and not by their names, although Wu provided Bleeping Computer with the names of some add-ons. Besides Web Security, other banned add-ons include Browser Security, Browser Privacy, and Browser Safety. All of these have been observed sending data to the same server as Web Security, located at 136.243.163.73. The other banned add-ons include: YouTube Download & Adblocker Smarttube Popup-Blocker Facebook Bookmark Manager Facebook Video Downloader YouTube MP3 Converter & Download Simply Search Smarttube - Extreme Self Destroying Cookies Popup Blocker Pro YouTube - Adblock Auto Destroy Cookies Amazon Quick Search YouTube Adblocker Video Downloader Google NoTrack Quick AMZ All in all, over 500,000 users had one of these add-ons installed inside Firefox. Offending add-ons have been disabled in users' browsers After a quick test, true to its word, Mozilla has indeed disabled the Web Security add-on in a Firefox instance Bleeping Computer used yesterday for tests. Users of any of the banned add-ons will see a warning like this: The warning message displayed at the top redirects users to this page, where it provides the following explanation for the ban: Sending user data to remote servers unnecessarily, and potential for remote code execution. Suspicious account activity for multiple accounts on AMO. In the bug report, another Mozilla engineer gave additional explanations, consistent with Wu's investigation: A number of reports have come up that the Web Security add-on (https://addons.mozilla.org/addon/web-security/) is sending visited URLs to a remote server. While this may seem reasonable for an add-on that checks visited webpages for their security, other issues have been brought up: 1) The add-on sends more data than what seems necessary to operate. 2) Some of the data is sent unsafely. 3) The add-on doesn't clearly disclose this practice, beyond a mention in a large Privacy Policy. 4) The code has the potential of executing remote code, which is partially obfuscated in its implementation. 5) Multiple add-ons with very different features, and different authors, have the same code. Further inspection reveals they may all be the same person/group. Article updated with the names of other banned add-ons and additional investigation details provided by Wu. Source Source - 2

Thunderbird add-on developer launches Kickstarter campaign to ensure continued compatibility The extension system of the Thunderbird email client is changing. The email client is based on Firefox code to a large degree and since Mozilla changed the extension system to WebExtensions, it was only a matter of time before Thunderbird's extension system would be switched over as well. The process started with the release of Thunderbird 68. Extension developers had to update their extensions so that users could continue to use them in the new version of the email client. Some extensions, those not updated by their developers, are not compatible with Thunderbird 68 already. The development team plans to finalize the add-on system changes in Thunderbird 78 (expected to be released in June 2020). The team notes that developers of legacy extensions have two options going forward: Convert the extension to a MailExtension. Convert the extension to a Web Extension Experiment. MailExtensions are WebExtensions but with "some added features specific to Thunderbird". Thunderbird developers should prefer the system "to ensure future compatibility". Thunderbird extension developer Jonathan Kamens maintains eleven add-ons for the email client currently. Extensions like Send Later, Reply to Multiple Messages, userchromeJS, or IMAP Received Data have either been created by him directly or taken over to ensure that they remain available for users of the email client. Kamens created a Kickstarter campaign to support continued development of the extensions and to ensure that the extensions will remain compatible with Thunderbird 78 and future versions of the email client. He decided to use a subscription model but with the option of acquiring a perpetual license for all current and future add-ons. Interested users may pay $5, $10 or $25 per year to gain access to one, three or all extensions for the period of 2 years. The perpetual license is available for $50 and guarantees access to all add-ons for one user (including new add-ons). Paid means that the extensions will no longer be available for free when Thunderbird 78 launches. Kamens notes that he would be pleased equally if other extension developers would take over some of the extensions to ensure that they remain compatible with Thunderbird 78 and future versions of the email client, and that this is also an option to keep these extensions free of charge. This Kickstarter campaign may actually help me find people willing to take over my add-ons and maintain them for free. If this campaign succeeds, and some of my add-ons do get adopted by new maintainers, then I'll pay them from the proceeds of the campaign. Having that on offer may help me attract new maintainers for my add-ons, so you may get to keep using the add-ons for free even after the licenses I'm offering in this campaign would have expired. With 56 days to go, €18,530 has already been collected. The goal of the campaign has been set to €45,340. Source: Thunderbird add-on developer launches Kickstarter campaign to ensure continued compatibility (gHacks - Martin Brinkmann)

A team of Belgian researchers discovered privacy issues in how browsers, ad-blocking, and anti-tracking implementations handle third-party cookie requests. A team of Belgian researchers from KU Leuven analyzed third-party cookie policies of seven major web browsers, 31 ad-blockers and 14 anti-tracking extensions and discovered major and minor issues in all of them. Major issues include Microsoft Edge's unwillingness to honor its own "block only third-party cookies" setting, bypasses for Firefox's Tracking Protection feature, and use of the integrated PDF viewer in Chrome and other Chromium-based browsers for invisible tracking. Cookie requests can be sorted into two main groups: first-party requests that come from the address listed in the address bar of the browser and third-party requests that come from all other sites. Advertisement displayed by websites makes use of cookies usually and some of these cookies are used for tracking purposes. Internet users can configure their browsers to block any third-party cookie requests to limit cookie-based tracking. Some browsers, for instance Opera or Firefox, include ad-blockers or anti-tracking functionality that is used in addition to that. Anti-tracking mechanisms have flaws The research paper, "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies", detailed information about each web browser, tests to find out if a browser is vulnerable to exploits, and bug reports are linked on the research project's website. The researchers created a test framework that they used to verify whether "all imposed cookie- and request-policies are correctly applied". They discovered that "most mechanisms could be circumvented"; all ad-blocking and anti-tracking browser extensions had at least one bypass flaw. In this paper, we show that in the current state, built-in anti-tracking protection mechanisms as well as virtually every popular browser extension that relies on blocking third-party requests to either prevent user tracking or disable intrusive advertisements, can be bypassed by at least one technique The researchers evaluated tracking protection functionality and a new cookie feature called same-site cookies that was introduced recently to defend against cross-site attacks. Results for all tested browsers are shown in the table below. The researchers tested the default configuration of Chrome, Opera, Firefox, Safari, Edge, Cliqz, and Tor Browser, and configurations with third-party cookie blocking disabled, and if available, tracking protection functionality enabled. Tor Browser is the only browser on the list that blocks third-party cookies by default. All browsers did not block cookies for certain redirects regardless of whether third-party cookies were blocked or tracking protection was enabled. Chrome, Opera and other Chromium-based browsers that use the built-in PDF viewer have a major issue in regards to cookies. Furthermore, a design flaw in Chromium-based browsers enabled a bypass for both the built-in third party cookie blocking option and tracking protection provided by extensions. Through JavaScript embedded in PDFs, which are rendered by a browser extension, cookie-bearing POST requests can be sent to other domains, regardless of the imposed policies. Browser extensions for ad-blocking or anti-tracking had weaknesses as well according to the researchers. The list of extensions reads like the who is who of the privacy and content blocking world. It includes uMatrix and uBlock Origin, Adblock Plus, Ghostery, Privacy Badger, Disconnect, or AdBlock for Chrome. The researchers discovered ways to circumvent the protections and reported several bugs to the developers. Some, Raymond Hill who is the lead developer of uBlock Origin and uMatrix, fixed the issues quickly. At least one issue reported to browser makers has been fixed already. "Requests to fetch the favicon are not interceptable by Firefox extensions" has been fixed by Mozilla. Other reported issues are still in the process of being fixed, and a third kind won't be fixed at all. You can run individual tests designed for tested web browsers with the exception of Microsoft Edge on the project website to find out if your browser is having the same issues. Closing Words With more and more technologies being added to browsers, it is clear that the complexity has increased significantly. The research should be an eye opener for web browser makers and things will hopefully get better in the near future. One has to ask whether some browser makers test certain features at all; Microsoft Edge not honoring the built-in setting to block third-party cookies is especially embarrassing in this regard. (via Deskmodder) Now You: Do you use extensions or settings to protect your privacy better? Source

Here is why the user count dropped for nearly all Firefox add-ons If you have been to Mozilla AMO recently, the main and official repository for Firefox add-ons and themes, you may have noticed that the "users" count of extensions that you checked out there has dropped. Take the popular content blocker uBlock Origin for example. The extension's current count is 3.94 million users according to Mozilla AMO; some days ago, the count was 5.5 million users. Mozilla published a blog post on the official Mozilla Add-ons blog that highlights why there is a drop across the board on Mozilla AMO in regards to the number of users. Mozilla employee Jorge Villalobos reveals there that Mozilla revamped the statistics that it makes available to add-on developers. The old system used stats aggregated from add-on update logs. Firefox checks Mozilla AMO daily for updates for installed extensions that are hosted on the site. The aggregated data was provided to developers and some of the information could also be accessed publicly; developers would get general information about users such as adoption or demographics. He notes that the system was "costly to run" and that data glitches happened from time to time. The new system drops the use of the daily add-on update check and rely on Telemetry data instead. The data is aggregated and no personally identifiable user data is shared with developers just like before according to Mozilla. The drop in users is caused by the switch to the new system. It appears that, in the case of uBlock Origin, about 1.6 million users of the add-on have Telemetry data disabled in Firefox. Privacy, security and advanced extensions will likely see a larger drop in users than other extensions as users of these type of extensions are more likely to turn off Telemetry. One of the benefits of using Telemetry data is that data can be shown for add-ons that are not listed on AMO. Developers will get access to all add-on usage stats regardless of where the add-on is hosted or how it is distributed. Mozilla plans to add usage by country as well in the future. Two features that were available previously are not available anymore, however. Developers won't see a breakdown of usage by add-on status anymore, and the ability to display the statistics dashboard publicly is no longer available. Villalobos notes that while the numbers are "generally" lower, they do "track very well with the update numbers in terms of change through time and how languages, platforms, versions, etc., compare with one another". Here is why the user count dropped for nearly all Firefox add-ons

Mozilla Add-ons developers may soon pay Mozilla for reviews and promoted listings Mozilla announced the introduction of the "Promoted Add-ons Pilot" program on September 9, 2020 on the official Add-ons blog. The pilot program will run between September and November 2020, and may be turned into a full service for developers of Firefox add-ons afterwards. The main idea behind the new service is to provide add-on developers and companies with options to have their add-ons manually reviewed by Mozilla and as a consequence, promoted on the Mozilla website. Called Promoted Add-ons, the system enables developers to get a verified badge on their add-ons profile page and their add-ons promoted on the Mozilla AMO hompage. Developers may pay Mozilla for the review only, and thus also the verified badge, and also to get their add-ons listed on the homepage of the Add-ons site. via Mozilla Jorge Villalobos, product manager for addons.mozilla.org, notes that Mozilla would love to review all extensions for free for policy compliance but cannot because "the cost would be prohibitive" as reviews are done by humans. Some developers have asked Mozilla if there is a way to get add-ons reviewed and featured on the site according to Villalobos, and the pilot program tries to find out if there is enough interest to warrant launching the new service for all developers. Add-on developers and companies may sign-up for the pilot program if they are based in the following countries: United States, Canada, New Zealand, Australia, the United Kingdom, Malaysia, or Singapore. The other requirements: The add-on needs to be listed on addons.mozilla.org. the add-on needs to pass a manual review to receive the verified badge. Recommended extensions don't need to apply as they get all the benefits. Mozilla plans to accept up to 12 add-ons for inclusion in the pilot program as test capacities are limited. Closing Words Mozilla changed the add-on reviewing process in the past from manual reviews to automated reviews. It then introduced the recommended extensions program as a way to promote certain add-ons for Firefox that are exceptional. These add-ons get reviewed manually. The Promoted Add-ons test pilot program looks like a paid extension to the recommended extensions program. The core differences are that developers need to pay Mozilla to get the verified badge and the promotion on the homepage, and that the only requirement for inclusion is that the add-on needs to be listed on the Add-ons website and pass manual review. These add-ons won't be promoted in the Firefox web browser it appears, at least nothing of the sort was mentioned by Mozilla in the announcement. Mozilla does not charge developers during the test period but will do so afterwards. Pricing has not been mentioned. The introduction of the recommended extensions system has created a two-tier add-ons system already. While pricing for the new Promoted Add-ons system has not been announced, it is possible that the service will predominantly be used by companies and large developers who earn money from their extensions in one way or another. The only benefit that Firefox users have is that more add-ons will get reviewed manually by Mozilla. Mozilla Add-ons developers may soon pay Mozilla for reviews and promoted listings

Mozilla adds two new badges to help identify trusted add-ons Mozilla has launched two new badges for add-ons to help users find extensions made by and extensions verified by Mozilla. Aside from being displayed on the Mozilla add-ons website, extensions on the browser’s add-on menu will also carry one of the new badges if they’ve been awarded. The green verified badge is awarded to extensions that have successfully completed a review process by Mozilla to ensure that it is trusted. End users that see the badge can be assured that the add-on is regularly reviewed by Mozilla and is, therefore, safe to install. Those extensions which have not been verified, recommended, or made by Mozilla will come with a warning that states ‘This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.’ If you want to install a non-badged add-on, you should read Mozilla’s support page on assessing the safety of an extension. According to a previous blog post on the matter, Mozilla stated that developers looking to get their extension verified will have to pay a fee. The badge will allow developers’ add-ons to become more trusted by users and the fee helps support Mozilla’s work. Developers can pay an additional fee to the firm to have their extension appear in the Sponsored section of the Firefox add-ons website, which will aid the add-on’s visibility. Mozilla says that it recently finished picking participants for the badge pilot review, with the process expected to end in November. If they pass the review, you’ll be able to find them, with their new badge, on the Firefox add-on website. Gallery: Firefox Badges Mozilla adds two new badges to help identify trusted add-ons

Abusive add-ons aren’t just a Chrome and Firefox problem. Now it’s Edge’s turn Edge users take to social media to report their Web searches are being hijacked. Enlarge Microsoft 55 with 44 posters participating For years, Google and Mozilla have battled to keep abusive or outright malicious browser extensions from infiltrating their official repositories. Now, Microsoft is taking up the fight. Over the past several days, people in website forums have complained of the Google searches being redirected to oksearch[.]com when they use Edge. Often, the searches use cdn77[.]org for connectivity. After discovering the redirections weren’t an isolated incident, participants in this Reddit discussion winnowed the list of suspects down to five. All of them are knockoffs of legitimate add-ons. That means that while the extensions bear the names of legitimate developers, they are, in fact, imposters with no relation. They include: NordVPN Adguard VPN TunnelBear VPN The Great Suspender Floating Player — Picture-in-Picture Mode “I had the tunnelbear extension installed, but I removed it once I figured out it was causing the issue,” Laurence Norah, a photographer at Finding the Universe, told me by email. “It's easy enough to see it happening—if you install one of the affected extensions in Edge, open dev tools, and press the ‘sources’ tab, you'll see something that shouldn't be there like ok-search.org or cdn77.” His account was consistent with images and accounts from other forum participants. Below are two screenshots: Enlarge Enlarge In a statement, Microsoft officials wrote: “We’re investigating the reported extensions listed and will take action as needed to help protect customers.” The statement follows comments in this Reddit comment in which someone identifying herself as a community manager for Microsoft Edge said the company is in the process of investigating the extensions. “The team just updated me to let me know that anyone seeing these injections should turn off their extensions and let me know if you continue to see them at that point,” the person using the handle MSFTMissy wrote. “Once I have any news from them, I will update this thread accordingly.” The maker of the legitimate TunnelBear software and browser extensions told me that the add-on hosted in Microsoft's official Edge store is a fake. It said there's an extension in the Chrome Web Store that's also fraudulent. “We are taking action to have these removed from both platforms and investigating the matter with both Google and Microsoft,” a TunnelBear representative said. “It is not uncommon for popular, trusted brands like TunnelBear to be spoofed by malicious actors.” The real AdGuard VPN, for its part said issued a statement from CEO Andrey Meshkov that said: “We are taking action to have these removed from both platforms and investigating the matter with both Google and Microsoft,” a TunnelBear representative said. “It is not uncommon for popular, trusted brands like TunnelBear to be spoofed by malicious actors.” NordVPN, meanwhile, issued a statement that said in part: “We noticed this fraudulent extension on Friday and immediately took action to have it removed.” Neither of the remaining two legitimate developers of the real extensions responded to a request for comment. Readers should remember, however, that legitimate developers can't be held responsible when their apps or add-ons are spoofed. Along with Android apps, browser extensions are one of the weak links in the online security chain. The problem is that anyone can submit them, and Google, Mozilla, and now Microsoft haven’t come up with a system that adequately vets the authenticity of the people submitting them or the safety of the code. Search engine redirections are typically part of a scheme to generate fraudulent revenue by ginning up ad clicks, and that's what's likely happening here. While reports indicate that the add-ons do nothing more than hijack legitimate searches, the privileges they require provide the possibility of doing much worse. Usage rights include things like: Reading and changing all your data on the websites you visit Managing your apps, extensions, and themes Changing your privacy-related settings Anyone who has installed any of the above-mentioned Edge add-ons should remove them immediately. And the oft-repeated advice about browser extensions still applies here: (1) install extensions only when they provide true value or benefit and even then (2) take time to read reviews and check the developer for any signs an extension is fraudulent. Post updated to add comments from TunnelBear, AdGuard, NordVPN, and Microsoft. Abusive add-ons aren’t just a Chrome and Firefox problem. Now it’s Edge’s turn