Firefox "security" add-on exposes users' Web browsing history

[nsane.forums]

A Firefox add-on that gives users the ability to collect information on the IP address, server hostname and other related data for websites they visit also has the added bonus feature of reporting the same information on every site visited to a third-party server, SophosLabs reports. The ShowIP add-on exposes the full Web-browsing history of its users to the add-on's back-end service—and anyone who can intercept the unencrypted packets.

Sophos' Graham Cluely writes that he was alerted to the problem by a reader, who found a recent update to the ShowIP add-on sends the full URL of sites visited in unencrypted form—including those visited using HTTP Secure and in "private browsing" mode—to a Web server at api.ip2info.org, without alerting the user. The behavior is a potential privacy threat to users of the service, because the data leaked by the add-on could be used by anyone sharing the network they are on to reconstruct their Internet browsing history.

The issue has been reported on the add-on's Google Code project page, but there has been no response.

Further reading

• Naked Security blog (nakedsecurity.sophos.com)

View: Original Article

[clubhouse]

This always bothers me about FF addons, just how do you know you've removed them?....For example, I removed Ad Block in the past to try other ad blockers.....and decided to go back to ABP....How come my 'list' is still there and my subscription choices...It obviously doesn't completely uninstall using the remove option.

[Veboy]

This always bothers me about FF addons, just how do you know you've removed them?....For example, I removed Ad Block in the past to try other ad blockers.....and decided to go back to ABP....How come my 'list' is still there and my subscription choices...It obviously doesn't completely uninstall using the remove option.

The add-on itself is removed as you clicked remove in about:addons, but the data it has made on your Firefox profile remains. those can be deleted manually.

[rudrax]

Firefox should make a trusted community to sign the add-ons made for it..if a user wants to use an unsigned add-on, it will be in his own risk and if a signed add-on fails, FireFox will be liable for that.

Edit: If there already have such communities, it is not known to me. If that exists, people should only download add-ons available in that community.

[calguyhunk]

^ Mozilla reviews every add-on on their site.

From addons.mozilla.org -

We offer two types of review and developers are free to choose the best fit for their add-on.

Full Review - a thorough functional and code review of the add-on, appropriate for add-ons ready for distribution to the masses. All site features are available to these add-ons.

Preliminary Review - a faster review intended for experimental add-ons. Preliminary reviews do not check for functionality or full policy compliance, but the reviewed add-ons have install button cautions and some feature limitation.

..............

• When performing a full review, editors will:
• install the add-on, making sure it functions as described and is free of major defects
• perform a source code review, looking for performance and security best practices
• ensure the add-on's privacy policy is in line with its functionality
• look for compliance with all of Mozilla's policies, detailed in these documents.

[Sl@pSh0ck™]

This always bothers me about FF addons, just how do you know you've removed them?....For example, I removed Ad Block in the past to try other ad blockers.....and decided to go back to ABP....How come my 'list' is still there and my subscription choices...It obviously doesn't completely uninstall using the remove option.

The add-on itself is removed as you clicked remove in about:addons, but the data it has made on your Firefox profile remains. those can be deleted manually.

I have made a tut on how to remove those entries easily, check it out here: http://www.nsaneforums.com/topic/125574-how-to-clean-firefoxs-prefsjs/