In July, we discussed how a popular Google Chrome browser extension was recording and storing user information, including what websites were visited. This wasn’t the first time and won’t be the last; in fact, another security issue has been found, this time with a Firefox browser add-on.
A popular application designed to improve web security has been caught spying on the website browsing history of users who have it installed. Privacy and security blogger Mike Kuketz, and the author of a popular ad blocker, uBlock Origin, found the exploit and posted the information onto a popular discussions forum, Reddit.
Which add-on is affected?
The add-on responsible is rather simply named 'Web Security'. To-date, it has been installed by around 222,746 Firefox browser users, according to data published by Mozilla, the company that owns the browser. According to the official description of the Web Security add-on, the app 'actively protects you from malware, tampered websites or phishing sites that aim to steal your personal data'.
Surprisingly, Mozilla had in fact recommended the application on their own blog not so long ago. Thanks to the high number of users that had installed Web Security and the positive reviews it had garnered, it found a position on the official Firefox blog just last week. However, this propulsion into the spotlight led security researchers to poke holes in the application.
Only hours later, a man named Raymond Hill, author of the above-mentioned ad blocker software, published a post on Reddit that shared strange behaviour exhibited by Web Security.
“"With this extension, I see that for every page you load in your browser, there is a POST to http://18.104.22.168/ (…) The posted data is garbled, maybe someone will have the time to investigate further."
A POST request means that data is transmitted from one place to another. This meant that every page load resulted in a user’s browser sending information to the website address listed above. Initially, this comment wasn't given a great deal of attention, until Mike Kuketz posted similar findings. Only hours afterwards, another user was successful in decrypting the "garbled data", discovering that user browsing history was being sent to the above URL.
What’s being done?
Normally, when a Firefox add-on needs to perform live malware checks on a website URL, it may gather a small amount of data temporarily. However, according to logs collected from the add-on, Web Security seems to be gathering far more than just the web address. A unique user ID is collected, as are details about browsing patterns. The amount of data collected goes against Mozilla's guidelines for developing extension applications.
Mozilla have previously removed 2 similar applications for the same reasons, though at this point Web Security has not been removed from the portal through which users can download browser extensions. However, it has been removed from their list of recommendations on the blog.
The process to remove an add-on from the portal can take several days, so this rogue app may disappear yet. In the meantime, we recommend that you avoid downloading and installing Web Security. If you’d like any more advice about keeping yourself and your browsing habits private online, then you can discuss security WiseGuys on 0808 123 2820.