Mobile // Mobile Applications
Commentary
7/16/2010
01:15 PM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Mozilla Sniffer Firefox Add-On Steals Passwords

Mozilla Sniffer, a little-used and now disabled Firefox add-on, turns out be a log-in thief and has been disabled by Mozilla. Additionally the Firefox-maker disabled earlier versions of CoolPreviews, another, more popular add-on which carried vulnerabilities that could enable remote takeovers. Time to take a long look at your company's browser add-ons policy.

Mozilla Sniffer, a little-used and now disabled Firefox add-on, turns out be a log-in thief and has been disabled by Mozilla. Additionally the Firefox-maker disabled earlier versions of CoolPreviews, another, more popular add-on which carried vulnerabilities that could enable remote takeovers. Time to take a long look at your company's browser add-ons policy.A Firefox add-on, Mozilla Sniffer (you'd think the name would have been a warning in itself) has been revealed to be a log-in thief, grabbing Web site log-ins and sending the info to its makers.

The add-on has been disabled by Mozilla, according to a blog post, which recommends that anyone who installed Mozilla Sniffer should immediately change their passwords.

Mozilla reports that the Sniffer add-on was "downloaded approximately 1,800 times since its submission and currently reports 334 active daily users."

Far more popular is the CoolPreviews add-on, version 3.01 of which held a vulnerability that could alow re4mote takeover of the user's computer. Mozilla disabled CoolPreviews 3.01 (and all earlier versions) and now has posted a version of CoolPreviews that has had the vulnerability eliminated.

The repaired version can be found at addons.mozilla.org Mozilla recommends that all CoolPreviews users upgrade to the latest version immediately.

How familiar are you, or your security personnel, with the add-ons your employees have added to their browsers? How confident are you that all of those add-ons have been reviewed for security and approved by the browser's developer?

As Mozilla pointed out in its security blog, unreviewed add-ons have "been previously identified as an attack vector for hackers." That's an understatement, to say the least, which is why it's good to know that Mozilla is reviewing its criteria for posting add-ons to its site. (The Mozilla Sniffer password thief remained on the add-on site for a month before being disabled.)

Might be a good idea for you to review the security policy surrounding which browser add-ons (and for that matter, which browser) your employees can add to your systems.

Don't Miss: 5 Web Security Practices For SMBs

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.