Mozilla Sniffer, a little-used and now disabled Firefox add-on, turns out be a log-in thief and has been disabled by Mozilla. Additionally the Firefox-maker disabled earlier versions of CoolPreviews, another, more popular add-on which carried vulnerabilities that could enable remote takeovers. Time to take a long look at your company's browser add-ons policy.A Firefox add-on, Mozilla Sniffer (you'd think the name would have been a warning in itself) has been revealed to be a log-in thief, grabbing Web site log-ins and sending the info to its makers.
The add-on has been disabled by Mozilla, according to a blog post, which recommends that anyone who installed Mozilla Sniffer should immediately change their passwords.
Mozilla reports that the Sniffer add-on was "downloaded approximately 1,800 times since its submission and currently reports 334 active daily users."
Far more popular is the CoolPreviews add-on, version 3.01 of which held a vulnerability that could alow re4mote takeover of the user's computer. Mozilla disabled CoolPreviews 3.01 (and all earlier versions) and now has posted a version of CoolPreviews that has had the vulnerability eliminated.
The repaired version can be found at addons.mozilla.org Mozilla recommends that all CoolPreviews users upgrade to the latest version immediately.
How familiar are you, or your security personnel, with the add-ons your employees have added to their browsers? How confident are you that all of those add-ons have been reviewed for security and approved by the browser's developer?
As Mozilla pointed out in its security blog, unreviewed add-ons have "been previously identified as an attack vector for hackers." That's an understatement, to say the least, which is why it's good to know that Mozilla is reviewing its criteria for posting add-ons to its site. (The Mozilla Sniffer password thief remained on the add-on site for a month before being disabled.)
Might be a good idea for you to review the security policy surrounding which browser add-ons (and for that matter, which browser) your employees can add to your systems.
Don't Miss: 5 Web Security Practices For SMBs