There is a popular browser add-on which is installed by 222,746 Firefox users according to Mozilla’s own statistics of add-on downloads. According to a German security blogger, Mike Kuketz, and the author of uBlock Origin, Raymond Hill, this particular add-on has been spying on users’ activity by tapping into their browser histories and keeping track of the web pages that they visit. This add-on is the Web Security extension for the Mozilla Firefox browser.
Web Security is designed to protect users from online phishing and malware attacks that could potentially steal personal information. This comes across as ironic as the extension is found to be unethically keeping tabs (pun intended) on your own information, evading your privacy without your consent. The reason that this news is hitting the stands so massively is that the add-on was publicized by Mozilla itself in a blog post just last week. The add-on boasts fantastic reviews and that’s why it is used so widely by so many people too.
Mozilla’s blog post was quickly taken down after Hill discovered this flaw in the add-on and brought it up on reddit saying that the extension would post to http://22.214.171.124/ for every web page loaded in the browser. He went on to say that the posted data was not deciphered at this point, and he urged other security analysts to look into it. Yesterday, Kuketz noticed the very same peculiarity and investigated it further to discover that users’ visited URLs were being set to a German server.
Although some applications use URL data to search for potential threats, no such search entails the transmittance of data to a remote server location. Looking into the code (below), it was found that not only was the add-on logging users’ web page visitation habits, it was logging them against user IDs to gauge their overall browsing patterns. This analysis and data collection is unnecessary for the purpose that the extension serves. Two similar add-ons, Stylish and Web of Trust, were banned for collecting information in the same way but Web Security has not been banned as of yet.