Firefox add-ons "more difficult" to hijack than Chrome
By Shona Ghosh
Posted on 21 Jan 2014 at 10:34
Mozilla has claimed it's difficult to hijack Firefox browser add-ons to serve ads, after Google was forced to pull two Chrome extensions that began spamming users.
Google removed the "Add to Feedly" and "Tweet this Page" extensions from the Chrome web store this week, after they were bought by third parties and quietly updated to inject ads into web pages.
But Mozilla said it was more difficult to introduce silent updates for Firefox add-ons than it appears to be for Chrome extensions.
"For add-ons hosted on addons.mozilla.org, all version updates are code reviewed and tested by a member of our review team, and it needs to pass all of our review policies to be pushed to users via auto-update," a Mozilla spokesperson said. "One such policy is that all unexpected changes, such as advertising, needs to be explicitly opt-in."
"This all makes it more difficult for this kind of hijacking to be effective for add-ons listed on Mozilla Add-ons," she added.
The issue has reportedly affected Firefox, however. An investigation by tech site Ghacks found at least one extension, AutoCopy, had been bought by a company called Wips, which then introduced ads through an update - slipping past Mozilla's review processes.
Mozilla wasn't aware of the AutoCopy issue until contacted by PC Pro. The company said its team had tested the current version of AutoCopy and had, in fact, rejected a more intrusive update.
"Version 1.0.8 of AutoCopy is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic," the company said.
"After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and is what the majority of users have installed," the spokesperson added.
The problem appears to be widespread. Several independent developers have revealed how they were approached by third parties and offered large sums for their popular Chrome extensions.
"Add to Feedly" developer Amit Agarwal revealed he had been offered a "four-figure" sum to sell his extension to a mysterious third party. After agreeing to a deal, he then found the new owner had hijacked the extension to start serving ads.
The problem is partially down to loopholes with permissions and Chrome's auto-update feature. Currently, Chrome extensions require the user's permission for certain features, such as accessing their data. Provided that permission is given when the extension is installed, a developer or new owner can push out new updates that insert ads into web pages without asking for that permission again.
PC Pro understands that Google is on the alert for new malicious extensions and is in the process of reviewing its web store policies.
Update: This article was updated on 22 January with Mozilla's statement on AutoCopy.
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords