Mozilla and Google are cracking down on malicious and abusive extensions available for the Firefox and Chrome browsers, respectively. The moves come in response to the recent detection of add-ons that turned out to violate the browser maker’s policies, despite review processes designed to weed out wares that are malicious or have the potential to be malicious.
The most significant move was Mozilla’s ouster over the past month of almost 200 extensions. The majority of them—129, to be exact—were developed by 2Ring, a maker of business software. There’s no evidence the extensions were malicious, but Mozilla officials found they executed code hosted on a remote server, in violation of Mozilla policies. The representative added that current installations aren’t affected and users who want to install an extension can still do so manually.
A 2Ring representative said that company officials have contacted Mozilla about the move and are awaiting a response. The representative added that the extensions, which businesses use to integrate select CRM systems with apps installed in customer contact centers, interact only with user white-listed applications specified in extension’s configuration.
Mozilla ejected six other extensions for the same reason. Another extension was also caught loading remote content onto a new tab page. The policies barring remote code and content are designed to increase transparency and lower the risk of extensions that behave in ways that might be harmful.
Mozilla expelled another 30 extensions for “violating Mozilla’s add-on policies by showing malicious behavior on third-party websites.” Still more extensions here, here, here, here, and here got the boot for collecting user data. Another batch was removed for collecting search terms or intercepting searches that went to a third-party search provider.
The search engine also banned extensions here, here, and here for using obfuscated code. Similar to the ban on the loading of remote code or content, the policy against obfuscated code is intended to lower the chances of extensions that covertly carry out harmful behavior.
The ouster of the Firefox extensions was first reported by ZDNet.
Google, meanwhile, said last Friday that it had “detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users.” The “scale of the abuse,” Friday’s post said, has prompted Google to temporarily bar the publishing fee-based extensions. The move is meant to curb the influx as engineers look for longer-term solutions that rein in the broader pattern of abuse.
A thread accompanying the announcement showed multiple developers reporting recent takedowns of their extensions.
“I have written multiple times replying to the rejection letter about two of my paid extensions that existed in the Store for more than a year,” one developer wrote. “I have not received any reply, and the extensions are still in the Pending review status.”
Paid extensions are those that collect fees up front, charge for subscriptions, or allow in app-purchases. Last Friday’s announcement didn’t describe the specific details of the fraudulent transactions. While the increase in abuse is significant, paid apps represent a small portion of the extensions available in the Chrome Web store. According to a report last August from Extension Monitor, only about 9 percent of extensions were fee based.
The crackdowns highlight a problem that has existed for years with extensions available from both Mozilla and Google. While the vast majority are safe, a small but statistically significant sample engage in click fraud, steal user credentials and install currency miners, and spy on end users—in at least one case, millions of users, some of whom were inside large companies and other data-sensitive networks.
There’s no sure-fire way to know if an extension is safe. One general rule is that there’s safety in numbers. An app with millions of installs is likely to receive more scrutiny from researchers than one with only a few thousand. Another guideline: apps from known developers are less likely to engage in malicious or abusive behavior. The best rule is to install extensions only when they truly provide value. Installed extensions that are used rarely or not at all should always be removed.