Mozilla on Monday disclosed it blocked two malicious Firefox add-ons put in by 455,000 customers that had been discovered misusing the Proxy API to impede downloading updates to the browser.
The 2 extensions in query, named Bypass and Bypass XM, “interfered with Firefox in a method that prevented customers who had put in them from downloading updates, accessing up to date blocklists, and updating remotely configured content material,” Mozilla’s Rachel Tublitz and Stuart Colville mentioned.
As a result of Proxy API may be used to proxy net requests, an abuse of the API might allow a foul actor to manage the way Firefox browser connects to the web successfully.
Along with blocking the extensions to forestall set up by different customers, Mozilla mentioned it is pausing on approvals for brand new add-ons that use the proxy API till the fixes are broadly out there. What’s extra, the California-based non-profit mentioned it’d deployed a system add-on named “Proxy Failover” that ships with additional mitigations to deal with the difficulty.
Customers who’ve put in the problematic add-ons are extremely suggested to take away them by heading the Add-ons part and explicitly trying to find “Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957) or “Bypass XM” (ID: d61552ef-e2a6-4fb5-bf67-8990f0014957).
Builders of add-ons that require the usage of the proxy API are additionally required to begin together with a “strict_min_version” key of their manifest.json information concentrating on Firefox browser variations 91.1 or above.