A wave of malware add-ons hit the Mozilla Firefox Extensions Store

[Karlston]

A wave of malware add-ons hit the Mozilla Firefox Extensions Store

If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions.

 

Extensions like Adobe Flash Player or ublock Origin Pro are listed in the Mozilla AMO store currently. These have no users at the time of writing as they are brand new and they appear to have been created and uploaded by random users (Firefox user xyz).

 

 

The extensions have no description and they require access to all data for all websites. When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file.

 

The actual extensions have different file sizes and their functionality may differ as well. All have in common that they listen to certain user inputs and send these to a third-party web server.

 

The uBlock copycat extension sends form data to a web server, the first Adobe Flash Player copycat that I checked logged all keyboard inputs and did the same.

 

Mozilla will remove the extensions once it notices them. The problem here is that this happens after the fact. The spam extensions may turn up in user searches and they also turn up when you sort by recent updates.

 

Mozilla switched from a "review first, publish second" to a "publish first, review second" model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program.

 

Google does the same thing but does not even review extensions manually after publication. The process leads to faster publications but also opens the door for spam and malicious extensions.

Closing Words

Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla's AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process.

 

Google's Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome's popularity and the fact that Google does not review any extensions manually by default play a role here.

 

While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a "manual reviewed" batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository.

 

Source: A wave of malware add-ons hit the Mozilla Firefox Extensions Store (gHacks - Martin Brinkmann)