Mozilla disclosed it blocked two malicious Firefox add-ons installed by 455,000 users. The add-ons were found misusing the Proxy API to intercept and redirect web requests to prevent users from downloading updates to the browser, updating remotely configured content, and accessing updated blocklists.
The Proxy API can be abused by a bad actor to control how Firefox browser connects to the web.
Two extensions that were found in Firefox’s built-in settings secretly “interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content,” Mozilla’s Rachel Tublitz and Stuart Colville said.
Mozilla has blocked the extensions that use the proxy API to prevent unauthorized installation and paused approvals for new add-ons that use the proxy API. The non-profit organization also deployed a system add-on “Proxy Failover” to address the issue.
“To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users,” Mozilla’s Rachel Tublitz and Stuart Colville said. “Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users.”
Users are advised to remove the malicious add-ons by heading the Add-ons section and explicitly searching for “Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957) or “Bypass XM” (ID: d61552ef-e2a6-4fb5-bf67-8990f0014957).
Developers who want to add an add-on that uses the Proxy API are required to include a “strict_min_version” key in their manifest.json files for Firefox browser versions 91.1 or above.