We have received reports that a Firefox add-on is potentially exposing the full web-browsing history of its users to its back-end service. This is an issue because user data being sent is over an non-encrypted connection. The add-on in question is the popular ShowIP, which is used by hundreds of thousands. Its primary function is to show the IP address of the current website, but it also gathers other information like the hostnames, and keeps a history of the visited sites.
Naked Security has written about the security flaw after being alerted by Rob Sanders who realized that ShowIP was sending the full URL of the sites he visited to a web server at api.ip2info.org based in Germany, including secure sites using HTTPS.
“I suspect it’s the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved by the Mozilla add-on site (not once, but twice) and how it’s still there 12 days later,” Sanders said.