Mozilla, one of the most used option for web browser and e-mail client came across an embarrassing situation last month when one malicious and another security vulnerability was discovered on the add-on section of the Mozilla website.
The add-on called the ‘Mozilla Sniffer’ was uploaded to addons.mozilla.org on 6th June 2010. It was later found out that the add-on had a code that interfered with the login data submitted to a web site by a user who installed the add-on in his system. The private data was sent to another remote location by the code in the add-on. The issue was discovered on 12th July and Mozilla disabled the add-on. The add-on was added to the block list by Mozilla soon upon the discovery of the malicious feature in the add-on. Blocking the add-on by the Mozilla prompted the users to uninstall the add-on from their systems. The malicious behavior of the add-on can be stopped immediately by uninstalling the add-on. It is important that the users change the passwords accessed while the add-on installed in their systems as soon as possible even after they uninstall the add-on.
It has been estimated more than 1800 users worldwide have downloaded the Mozilla Sniffer. More than 334 current users have Mozilla Sniffer still installed in their systems. Many users did not receive an uninstall notification immediately after Mozilla blocked the add-on since the Mozilla’s web site was not functioning properly for some time and could not send the notification to many immediately.
It should be known that Mozilla itself did not develop Mozilla Sniffer. However, morally speaking, it was the responsibility of Mozilla to review the add-on before it was allowed for access to its users. If the add-on was in the state of experimentation, it was the duty of Mozilla to warn the users who tried to install the add-on that Mozilla Sniffer has not been reviewed and may have errors. Mozilla systems just scanned the add-on for viruses and other malware but could not detect the actual behavior of the code just by scanning it. It was when Johann Peter Hartmann reported the issue to Mozilla; the system started reviewing the code.