Mozilla Removed Two Popular Firefox Add-Ons For Abusing Their Proxy API

Mozilla has recently announced the removal of two Firefox add-ons with a huge number of downloads. The firm removed those add-ons upon noticing them abusing the Firefox Proxy API to prevent downloading of updates.

Firefox Add-Ons Abusing Proxy API Removed

In a recent blog post, Mozilla elaborated on securing the Proxy API by removing two popular Firefox extensions.

As stated, the firm removed the extensions, identified as “Bypass” and “Bypass XM,” as it found them abusing the Firefox Proxy API maliciously.

Proxy API allows the browser add-ons to control how the Firefox browser connects to the internet.

However, Mozilla noticed that the two extensions exploited the API to prevent the browser from installing updates alongside other activities. As stated in its post,

These add-ons interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

Mozilla has removed them from its end. Nonetheless, the service advises all users to delete the extensions immediately from their web browsers. (The two extensions collectively boast over 455,000 installations.)

Mozilla has also halted approvals for new add-ons submissions who use the Proxy API.

Furthermore, the firm has also rolled out a “Proxy Failover” system add-on to old and the latest Firefox releases.

For legitimate developers behind add-ons that use Proxy API, Mozilla has advised them to include a strict_min_version key in their manifest.json files mentioning the latest Firefox release. The latest browser releases at the time of writing are Firefox 93 and Firefox ESR 91.2.

We are asking all developers requiring the proxy API to start including a strict_min_version key in their manifest.json files targeting “91.1” or above as shown in this example:
“browser_specific_settings”: {   “gecko”: {     “strict_min_version”: “91.1”   } }

Mozilla pledges to expedite the review for add-ons with this amendment.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil