Firefox add-ons "more difficult" to hijack than Chrome
Mozilla claims Firefox add-ons are harder to hijack after Chrome extensions fall foul of spammers
Mozilla has claimed it's difficult to hijack Firefox browser add-ons to serve ads, after Google was forced to pull two Chrome extensions that began spamming users.
Google removed the "Add to Feedly" and "Tweet this Page" extensions from the Chrome web store this week, after they were bought by third parties and quietly updated to inject ads into web pages.
But Mozilla said it was more difficult to introduce silent updates for Firefox add-ons than it appears to be for Chrome extensions.
"For add-ons hosted on addons.mozilla.org, all version updates are code reviewed and tested by a member of our review team, and it needs to pass all of our review policies to be pushed to users via auto-update," a Mozilla spokesperson said. "One such policy is that all unexpected changes, such as advertising, needs to be explicitly opt-in."
"This all makes it more difficult for this kind of hijacking to be effective for add-ons listed on Mozilla Add-ons," she added.
The issue has reportedly affected Firefox, however. An investigation by tech site Ghacks found at least one extension, AutoCopy, had been bought by a company called Wips, which then introduced ads through an update - slipping past Mozilla's review processes.
Mozilla wasn't aware of the AutoCopy issue until contacted by PC Pro. The company said its team had tested the current version of AutoCopy and had, in fact, rejected a more intrusive update.
"Version 1.0.8 of AutoCopy is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic," the company said.
"After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and is what the majority of users have installed," the spokesperson added.
The problem appears to be widespread. Several independent developers have revealed how they were approached by third parties and offered large sums for their popular Chrome extensions.
"Add to Feedly" developer Amit Agarwal revealed he had been offered a "four-figure" sum to sell his extension to a mysterious third party. After agreeing to a deal, he then found the new owner had hijacked the extension to start serving ads.
The problem is partially down to loopholes with permissions and Chrome's auto-update feature. Currently, Chrome extensions require the user's permission for certain features, such as accessing their data. Provided that permission is given when the extension is installed, a developer or new owner can push out new updates that insert ads into web pages without asking for that permission again.
PC Pro understands that Google is on the alert for new malicious extensions and is in the process of reviewing its web store policies.
Update: This article was updated on 22 January with Mozilla's statement on AutoCopy.