We have received reports that a Firefox add-on is potentially exposing the full web-browsing history of its users to its back-end service. This is an issue because user data being sent is over an non-encrypted connection. The add-on in question is the popular ShowIP, which is used by hundreds of thousands. Its primary function is to show the IP address of the current website, but it also gathers other information like the hostnames, and keeps a history of the visited sites.
Naked Security has written about the security flaw after being alerted by Rob Sanders who realized that ShowIP was sending the full URL of the sites he visited to a web server at api.ip2info.org based in Germany, including secure sites using HTTPS.
“I suspect it’s the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved by the Mozilla add-on site (not once, but twice) and how it’s still there 12 days later,” Sanders said.
- 2014-04-10: Firefox OS 2.0 Begins To Take Shape
- 2014-03-19: Former Firefox Developer Explains Mozilla's Decision To Drop Its Modern UI Project
- 2014-03-19: Firefox Powers Better In-Browser Games At GDC14
- 2014-03-14: Mozilla Kills "Firefox For Metro" Project Citing Low Adoption
- 2014-03-12: Unreal Engine 4 Runs On Firefox
- 2011-08-12: Mozilla Firefox to automatically block unwanted add-ons
- 2011-05-19: Ant Video Downloader and Player add-on for Firefox secretly tracks your browsing history?
- 2011-01-24: Mozilla wants to deliver improved online privacy
- 2010-03-02: New Attack On Internet Explorer Via F1 Key
- 2010-10-26: Firesheep Extension Sniffs Out Facebook And Other Information Over Wi-Fi Hotspots