Developer Behind Removed Firefox Security Extension Admits Errors
The developer of the Firefox extension Web Security admits mistakes and apologizes. Mozilla initially recommended the extension in a blog post, but removed the listing and later the extension itself after criticism.
Fabian Simon, who leads development company Creative Software Solutions, commented on Mozilla’s bug tracker and in an email to Heise that Mozilla removed the Web Security extension. He writes that mistakes were made and that he apologizes. For example, there was no encryption of network traffic, which has since been adjusted. However, the extension itself can no longer be found among the Firefox add-ons, after Mozilla already removed its mention from a blog post following criticism.
For example, it turned out that the extension also forwarded the sites visited by users, for example the site where the user came from and where he was going. According to Simon, this was necessary to improve heuristics and threat analysis. He claims that the transmitted data was stored on his company’s servers for a maximum of 15 minutes. An analysis also revealed that there was a possibility to run code remotely via the extension. He says it was old code that was meant to notify the user of “critical threats.”
Mozilla had removed a total of 23 extensions after discovering Web Security’s behavior, including other extensions from Creative Software Solutions. This happened, for example, because the extensions collected more data than necessary. Simon now promises that changes have been made in a new version of the extension. It is unclear whether Mozilla will allow distribution again following the changes.