Malware add-ons swamp Mozilla Firefox Extensions store

A report by gHacks.net surfaced today, highlighting a wave of fake uploads to AMO store of popular software extensions, including Adobe Flash Player and ublock Origin Pro.

According to the report, the extensions have no descriptions and they would ‘require access to all data for all websites’.

The author of the report, Martin Brinkmann, investigated and found evidence of malware that checked the usual boxes in several ways. “When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download of ublock origin pro returned an adpbe_flash_player-1.1-fx.xpi file.”

The actual extensions would also have different file sizes - their functionality may differ as well. All have in common that they do listen to certain user inputs and send these to a third-party web server.

The uBlock copycat extension would send form data to a web server, the first Adobe Flash Player copycat that the author checked logged all keyboard inputs.

The problem is the time the malicious content remains on the platform before being deleted. The issue is not that Mozilla would remove the malware from its extensions store later on - by then, users might have already fallen for the trap.

“The spam extensions may turn up in user searches and they also turn up when you sort by recent updates”, the author wrote.

The reason Mozilla does permits - while only perhaps for a short while - malware and other questionable content on their site would appear because of a change in the company's policy in 2017. It dictates an ‘upload-first-and-check-later’ posting policy for extensions (instead of a check-first-update-later).

Google’s extensions store was found to behave in a similar fashion; it would allow faster updates and uploads but also risks receiving ingenue and malicious content such as spam and malware, according to Brinkmann's research.

In the past, while Google has also been found to do a poor job in screening Chrome extensions, the firm more recently appeared increasingly ambitious to fight questionable content. Last year, the company was reported to become more active in fighting malicious content uploads, in several ways. It started to ban in-line links which would install Chrome extensions at once, in mid-2018.

Google also announced a number of new restrictions on its browser extensions store, last year - including banning ‘obfuscated’ code; an extension’s permissions limited to those necessary for its stated purposes; the ability to fine-tune extensions’ abilities to specific websites rather than all websites; and the requirements for a two-factor authentication on developers’ accounts to prevent unauthorised changes.

Mozilla’s add-on store has struggled with other issues in recent months. At the beginning of May, information surfaced that an expired certificate on the Mozilla Add-ons infrastructure would have disabled Firefox add-ons for millions of users, which in turn, also prevented users from re-activating or installing extensions.

The company issued a statement to explain that it rolled out a hotfix that re-enables affected add-ons. The fix was automatically applied in the background.