Malicious Firefox Add-ons Interfered How Browser Connects to The Internet

Malicious Firefox Add-ons Interfered How Browser Connects to The Internet

On Monday, Mozilla blacklisted two malicious Firefox add-ons that were found to be abusing the Proxy API to prevent users from getting browser upgrades. They are available on the systems of more than 455,000 users, and all of them may get affected by the misuse of this API.

“In early June, we discovered add-ons that were misusing the proxy API, which is used by add-ons to control how Firefox connects to the internet,” Stuart Colville and Rachel Tublitz from Mozilla wrote.

According to them, Bypass and Bypass XM, the two extensions, meddle with Firefox in such a way that users who had installed them are unable to obtain updates, access updated blocklists, or update remotely controlled content. 

Because the Proxy API may be used to proxy web requests, a threat actor might use it to essentially control how the Firefox browser links to the internet.

Mozilla is suspending approvals for new add-ons that employ the proxy API until the patches are widely available, in addition to banning the submissions by other users.

“The malicious add-ons were blocked, to prevent installation by other users. To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users,” Mozilla researchers wrote.

Furthermore, the California-based non-profit stated it had introduced a “Proxy Failover” system add-on that comes with other mitigations to solve the problem.

Users with the problematic add-ons installed on their devices are strongly urged to uninstall them by going to the Add-ons section and searching for: 

  • “Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957), or 
  • “Bypass XM” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957), or
  • “Bypass XM” (ID: d61552ef-e2a6-4fb5-bf67-8990f0014957).

Add-on developers that leverage the proxy API must now include a “strict_min_version” value in their manifest. json files that are compatible with Firefox 91.1 and above.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.