Mozilla blocks popular Firefox add-on due to security issues
Mozilla has put the YouTube Unblocker add-on on its “blocklist”, as it has been discovered that it was changing users’ security settings and covertly downloading and installing an additional, malicious extension that injects ads in pages visited by users.
The popularity of YouTube Unblocker was due to it allowing users to view YouTube videos blocked in their country. The add-on used to be offered for download on the organization’s official portal for Firefox extensions and themes, but no more:
The various comments in the discussion about the bug that has been started on Mozilla’s bug tracker a few days ago showed that the developers of YouTube Unblocker have been repeatedly trying to bundle it with adware through the years.
Mozilla tried to stop this behaviour by forcing the developers to put the files the add-on was allowed to download on a whitelist, which was to be checked by Mozilla. But the developers found a way to bypass that protection, as well as the protection offered by Firefox’s code signing security feature.
Unfortunately, the same thing can be (and apparently has been) done by other developers.
“The WebExtensions API is meant to have stronger checks and boundaries that should prevent most if not all situations like this one,” explained Jorge Villalobos, Add-ons Developer Relations Lead at Mozilla, but noted that the current add-ons framework gives add-ons a lot of power, which can lead to problems like this.
“This is why we have code reviews for all add-ons submitted to AMO (addons.mozilla.org). In this particular case, the review process failed to catch the bad code.”
Perhaps because, as reported, the YouTube Unblocker would not always download the second add-on.
Mozilla putting YouTube Unblocker and the malicious add-on on its blocklist means that they will be disabled for all users and will be prevented from running automatically. The blocklist will also prevent the add-ons to be installed in the first place, as they can still be downloaded from the developers’ website.
Users who have already installed the offending extension(s) may also want to check this guide on what to do to clear their browsers of them.