Mozilla to revamp add-on code review process

Mozilla is dealing with another case of a malicious plug-in for its Firefox web browser, and as a result, is considering changes to its code review process.

The company last week removed the "Mozilla Sniffer" add-on from its archive and added it to what it terms a "blocklist", according to a vulnerability announcement. Mozilla learned that the plug-in contains code that hijacks login details, such as username and password, submitted to any website.

By Mozilla adding the malicious plug-in to its blacklist, users who have installed the program will receive a prompt suggesting they uninstall it. According to the browser maker, the add-on has been downloaded about 1,800 times since it was uploaded to the library on June 6.

The add-on was not created by Mozilla and therefore was in an experimental state, meaning any user who downloaded it would have seen a warning that it was unreviewed for code vulnerabilities, the company said. The plug-in, however, was checked for malware, such as viruses and trojans.

It was finally checked for code flaws on July 12, when the discovery was made that it was confiscating login data from its users.

"Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers," the advisory said. "For this reason, we're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site."

Mozilla grappled with a similar situation earlier this year, when it warned that two experimental plug-ins for Firefox contained a trojan. Shortly after, however, Mozilla recanted its claim and said only one of the add-ons, known as Master Filer, actually contained malware.

See original article on scmagazineus.com