Mozilla blocks malicious add-ons installed by 455K Firefox users

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Mozilla blocked malicious Firefox add-ons installed by roughly 455,000 users after discovering in early June that they were abusing the proxy API to block Firefox updates.

The add-ons (named Bypass and Bypass XM) were using the API to intercept and redirect web requests to block users from downloading updates, updating remotely configured content, and accessing updated blocklists.

"To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users," Mozilla's Rachel Tublitz and Stuart Colville said.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,472
To all the people bashing on Microsoft Defender:

Unbenannt.PNG

;)🖕
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
On the 1st sight, it seems great that MS Defender detects this malware. But on a 2nd look, MS Defender has a dedicated category for BypassPaywall. Uhm, no thanks MS. Another reason why I'm not using MS Defender.

Err no, it is just the signature name, this doesnt mean that Microsoft Defender is actively detecting extensions or scripts that are made to bypass paywalls like this one below.


If you read the article you will understand why the name was chosen.
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
540
On the 1st sight, it seems great that MS Defender detects this malware. But on a 2nd look, MS Defender has a dedicated category for BypassPaywall. Uhm, no thanks MS. Another reason why I'm not using MS Defender.
Somewhat agree with you.
While Mozilla didn't share if the two add-ons were doing anything else malicious in the background, BleepingComputer found after analyzing them that they likely were using a reverse proxy to bypass paywalled sites.

However, the add-ons also had Mozilla's domain in the paywall list which inadvertently also blocked browser updates.
Defender seems to be blocking it purely because its a Paywall bypass.Somewhat of a grey area if you use adblockers has you can now access paid for content for free.

On the other hand I personally think MS defender is great and offers excellent protection overall.
 
  • Like
Reactions: plat and Nevi

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Somewhat agree with you.

Defender seems to be blocking it purely because its a Paywall bypass.Somewhat of a grey area if you use adblockers has you can now access paid for content for free.

On the other hand I personally think MS defender is great and offers excellent protection overall.

No, it is being detected by Microsoft Defender because Mozilla Security Team marked those addons as malicious.



Microsoft Defender doesnt detect other paywall bypasses that are not malicious, do you know other clean paywall bypass that is being blocked by it? Never heard of a single case ...
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Would have been much more impressed by Microsoft if they detected it before the Mozilla report.
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
540
Microsoft Defender doesnt detect other paywall bypasses that are not malicious, do you know other clean paywall bypass that is being blocked by it? Never heard of a single case ...
I have used Bypass Paywall clean a few months ago. Removed it because I don't normally visit paid for content sites and it
constantly asked for new site permissions every time I launched FF even if it was disabled. I do consider these plugins to be sketchy.

I am sure Firefox reported the extension to other AV vendors. MS Defender says it was updated 2 August yet no other
AV vendor considers the extension to be malicious on VT?

 

vaccineboy

Level 3
Verified
Well-known
Sep 5, 2018
125
There is no indication that the addon has actually done anything malicious, but its setup could be used for malicious purpose should the developer choose to. Mozilla is right to block it, but labeling it as malicious in my opinion is a gray matter. The word "inadvertently" on the part of the addon developer was curiously recited.
And naming it the way MS does is also disagreeable.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top