Firefox users beware: two more malware extensions have been discovered, this time with full-blown trojans. The first extension, called “Adobe Flash Player Updater,” is a malicious add-on that downloads and installs other malware on the user’s computer. The second extension, called “BetterPrivacy,” is a privacy-invading extension that collects personal information such as browsing history and search terms. Both extensions have been removed from the Firefox Add-ons Store, but users should be vigilant about installing any unknown extensions and keeping their browsers up to date. Firefox is a popular web browser used by millions of people around the world, so it’s important to keep it safe from malicious software. ..

Last time, it was as simple as spam links showing up in your browser, and tracking the URLs you were going to—really frustrating and evil, but not necessarily the end of the world, since it wasn’t going to take over your PC.

Yesterday, the Mozilla Add-ons blog reported that two extensions contained nasty trojans that hijacked your PC.

If you’ve installed those extensions at any point, you should make sure to run a full virus scan on your PC.

Rant About Firefox Extension Security

Instead of ranting again, let me just quote what I said last time this happened…

The current process over at Mozilla is to run an automated virus scanner against the extensions, and as a result of this issue they have added more scanning tools to the process. This doesn’t solve the real issue, because any virus programmer with some skills can write a customized virus that doesn’t get picked up by any of the commercial virus scanning tools. Sure, some of the tools have heuristics that will probably detect rootkits and some of the nastier techniques, but it’s not going to prevent the issue entirely.

The real problem isn’t even a traditional virus, as far as I’m concerned. How difficult would it be for somebody to write a native Firefox extension that simply takes all your passwords and sends them to a rogue site? There’s no security layer to prevent add-ons from accessing your personal information stored in the browser, and no virus scanner is going to pick up a native Firefox extension since they are written in Javascript.

The Partial Solution

Nobody’s expecting Mozilla to scan through the source code of every single extension—that’s just prone to human error anyway. What would make sense, however, is to have some layers of security that prevent add-ons from accessing any of your personal information stored in the browser unless you specifically allow them to.

What Can You Do to Keep Safe?

You should always make sure to check the reviews on an extension before you install it—don’t just take somebody else’s word when they vouch for an extension… make sure to do your due diligence to check things out first. The same thing applies for any application, of course—if you’re installing applications without doing a virus scan, you’re leaving yourself wide open to having your PC hijacked.

Please read: Security Issue on AMO [Mozilla Add-ons Blog]