Mozilla, one of the most used option for web browser and e-mail client came across an embarrassing situation last month when one malicious and another security vulnerability was discovered on the add-on section of the Mozilla website.

The add-on called the ‘Mozilla Sniffer’ was uploaded to on 6th June 2010. It was later found out that the add-on had a code that interfered with the login data submitted to a web site by a user who installed the add-on in his system. The private data was sent to another remote location by the code in the add-on. The issue was discovered on 12th July and Mozilla disabled the add-on. The add-on was added to the block list by Mozilla soon upon the discovery of the malicious feature in the add-on. Blocking the add-on by the Mozilla prompted the users to uninstall the add-on from their systems. The malicious behavior of the add-on can be stopped immediately by uninstalling the add-on. It is important that the users change the passwords accessed while the add-on installed in their systems as soon as possible even after they uninstall the add-on.

It has been estimated more than 1800 users worldwide have downloaded the Mozilla Sniffer. More than 334 current users have Mozilla Sniffer still installed in their systems. Many users did not receive an uninstall notification immediately after Mozilla blocked the add-on since the Mozilla’s web site was not functioning properly for some time and could not send the notification to many immediately.

It should be known that Mozilla itself did not develop Mozilla Sniffer. However, morally speaking, it was the responsibility of Mozilla to review the add-on before it was allowed for access to its users. If the add-on was in the state of experimentation, it was the duty of Mozilla to warn the users who tried to install the add-on that Mozilla Sniffer has not been reviewed and may have errors. Mozilla systems just scanned the add-on for viruses and other malware but could not detect the actual behavior of the code just by scanning it. It was when Johann Peter Hartmann reported the issue to Mozilla; the system started reviewing the code.

Mozilla has stated that such unreviewed add-ons have created problems for the users before although they may have low visibility. Security escalation vulnerability was found out in the CoolPreviews add-on for the version 3.0.1. There was a specially designed hyper-link in the add-on. When the user hovers the cursor over the link, a remote JavaScript with local chrome privileges was executed. This gave full control of the host to the attacking script. The add-on has been fixed and Mozilla had uploaded the new version. More than 177,000 users were affected by this vulnerability. Alice White brought the issue into notice, after which Mozilla made necessary changes in the add-on. Hence, Mozilla is trying to implement new security model for the web site that would require the code of any add-on to be reviewed before it is available to public. The new security model is important to maintain the trust of millions of users of open source systems like Mozilla.