Mozilla on Monday disclosed it blocked two malicious Firefox add-ons put in by 455,000 customers that had been discovered misusing the Proxy API to impede downloading updates to the browser.
The 2 extensions in query, named Bypass and Bypass XM, “interfered with Firefox in a means that prevented customers who had put in them from downloading updates, accessing up to date blocklists, and updating remotely configured content material,” Mozilla’s Rachel Tublitz and Stuart Colville mentioned.
As a result of Proxy API might be used to proxy net requests, an abuse of the API might allow a nasty actor to regulate the style Firefox browser connects to the web successfully.
Along with blocking the extensions to stop set up by different customers, Mozilla mentioned it is pausing on approvals for brand spanking new add-ons that use the proxy API till the fixes are broadly accessible. What’s extra, the California-based non-profit mentioned it’d deployed a system add-on named “Proxy Failover” that ships with additional mitigations to deal with the problem.
Customers who’ve put in the problematic add-ons are extremely suggested to take away them by heading the Add-ons part and explicitly trying to find “Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957) or “Bypass XM” (ID: d61552ef-e2a6-4fb5-bf67-8990f0014957).
Builders of add-ons that require the usage of the proxy API are additionally required to start out together with a “strict_min_version” key of their manifest.json information focusing on Firefox browser variations 91.1 or above.