Mozilla on Monday disclosed it blocked two malicious Firefox
add-ons installed by 455,000 users that were found misusing the
Proxy API to impede downloading updates to the browser.
The two extensions in question, named Bypass and Bypass XM,
“interfered with Firefox in a way that prevented users who had
installed them from downloading updates, accessing updated
blocklists, and updating remotely configured content,” Mozilla’s
Rachel Tublitz and Stuart Colville said[1].
Because Proxy API can be used[2]
to proxy web requests, an abuse of the API could enable a bad actor
to control the manner Firefox browser connects to the internet
effectively.
In addition to blocking the extensions to prevent installation
by other users, Mozilla said it’s pausing on approvals for new
add-ons that use the proxy API until the fixes are broadly
available. What’s more, the California-based non-profit said it’d
deployed a system add-on named “Proxy Failover[3]” that ships with further
mitigations to address the issue.
Users who have installed the problematic add-ons are highly
advised to remove[4]
them by heading the Add-ons section and explicitly searching for
“Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957) or “Bypass XM”
(ID: d61552ef-e2a6-4fb5-bf67-8990f0014957).
Developers of add-ons that require the use of the proxy API are
also required to start including a “strict_min_version[5]” key in their
manifest.json files targeting Firefox browser versions 91.1 or
above.
References
- ^
said
(blog.mozilla.org) - ^
used
(developer.mozilla.org) - ^
Proxy
Failover (ftp.mozilla.org) - ^
remove
(support.mozilla.org) - ^
strict_min_version
(developer.mozilla.org)