A new blog post from Mozilla says that the company, best known for Firefox, has taken action against specific malicious browser extensions. The post in question, authored by Mozilla’s Rachel Tublitz and Stuart Colville, states that there were specific extensions abusing the proxy API. In short, these browser extensions were altering how the Firefox browser was connecting to the Internet.
The Mozilla team reportedly found these extensions to be behaving oddly back in the month of June 2021. Investigating further, they found that over 455,000 users had downloaded the extensions, most notably disallowing them from receiving updates to their Firefox browser. This would leave the users open to any unpatched vulnerabilities and other issues that stem from not keeping software up to date.
In the post, Tublitz and Colville state the following on how Mozilla dealt with the extensions:
The malicious add-ons were blocked, to prevent installation by other users.
To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users.
Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users. We also deployed a system add-on named “Proxy Failover” (ID: [email protected]) with additional mitigations that has been shipped to both current and older Firefox versions.”
Over at Bleeping Computer, cybersecurity reporter Sergiu Gatlan did some more research and pinpointed the likely extensions causing the issue. There are two, Bypass and Bypass XM, which would abuse the proxy API by redirecting web requests from Mozilla. There are legitimate reasons for individuals to use extensions like this, most notably preventing Mozilla from automatically forcing updates. Still, these types of extensions tend to be a haven for abuse from hackers.
Featured image: Mozilla