A malicious Firefox add-on was discovered this week that managed to be uploaded to and hosted on the official Mozilla Add-ons site.
A Firefox add-on called “Mozilla Sniffer” had been uploaded to the addons.mozilla.org site on June 6th and identified as malicious and removed on July 12th. The “Mozilla Sniffer” add-on was programmed to capture login data submitted to any Web site and send this data to a remote server controlled by cybercriminals. When discovered, the add-on was promptly disabled and added to the Firefox “Add-On Blocklist,” which should prompt users to uninstall the malware which solves the problem.
Mozilla recommends that anyone who has installed the Mozilla Sniffer add-on change their passwords as soon as possible.
Mozilla said that “Mozilla Sniffer” was downloaded approximately 1,800 times and as of July 13th, shows 334 active daily users. Mozilla also noted in a blog post that the server which was set to receive the captured data seems to be down, so it is unknown if data is still being collected.
Mozilla is developing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site.
Resource: Netcraft has an interesting article with some more technical analysis and information on the discovery