Firefox add on exposes users browsing history

We have received reports that a Firefox add-on is potentially exposing the full web-browsing history of its users to its back-end service. This is an  issue because user data being sent is over an non-encrypted connection. The add-on in question is the popular  ShowIP, which is used by hundreds of thousands. Its primary function is to show the IP address of the current website, but it also gathers other information like the hostnames, and keeps a history of the visited sites.

Naked Security has written about  the security flaw after being alerted by Rob Sanders who realized that ShowIP was sending the full URL of the sites he visited to a web server at api.ip2info.org based in Germany, including secure sites using HTTPS.

“I suspect it’s the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved by the Mozilla add-on site (not once, but twice) and how it’s still there 12 days later,” Sanders said.

This article was filed in Homepage > Web and was tagged with firefox and Security. The story was spotted on nakedsecurity.sophos
Like us, and get the best stories

User Comments