Categories: Firefox Security

Securing the proxy API for Firefox add-ons

Add-ons are a powerful way to extend and customize Firefox. At Mozilla, we are committed not only to supporting WebExtensions APIs, but also ensuring the safety and reliability of the ecosystem for the long term.

In early June, we discovered add-ons that were misusing the proxy API, which is used by add-ons to control how Firefox connects to the internet. These add-ons interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

In total these add-ons were installed by 455k users.

This post outlines the steps we have taken to mitigate this issue as well as provide details of what users should do to check if they are affected. Developers of add-ons that use the proxy API will find some specific instructions below that are required for future submissions.

 

What have we done to address this?

The malicious add-ons were blocked, to prevent installation by other users.

To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users.

Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users. We also deployed a system add-on named “Proxy Failover” (ID: proxy-failover@mozilla.com) with additional mitigations that has been shipped to both current and older Firefox versions.

 

As a Firefox user, what should I do next?

It is always a good idea to keep Firefox up to date, and if you’re using Windows to make sure Microsoft Defender is running. Together, Firefox 93 and Defender will make sure you’re protected from this issue.

First, check what version of Firefox you are running. Assuming you have not disabled updates specifically, you should be running at minimum the latest release version, which is Firefox 93 as of today (or Firefox ESR 91.2). If you are not running the latest version, and have not disabled updates, you might want to check if you are affected by this issue. First, try updating Firefox. Recent versions of Firefox come with an updated blocklist that automatically disables the malicious add-ons. If that doesn’t work, there are a few ways to fix this:

  • Search for the problematic add-ons and remove them.
    1. Visit the Troubleshooting Information page.
    2. In the Add-ons section, search for one of the following entries:
      Name: Bypass
      ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}
      Name: Bypass XM
      ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}
      Please make sure the ID matches exactly as there might be other, unrelated add-ons using  those or similar names. If none of those IDs are shown in the list, you are not affected.
      If you find a match, follow these instructions to remove the add-on(s).

 

As a Firefox add-on developer, what should I do next?

Note: The following only applies to add-ons that require the use of the proxy API.

We are asking all developers requiring the proxy API to start including a strict_min_version key in their manifest.json files targeting “91.1” or above as shown in this example:

“browser_specific_settings”: {   “gecko”: {     “strict_min_version”: “91.1”   } }

Setting this explicitly will help us to expedite review for your add-on; thank you in advance for helping us to keep Firefox users secure.

 

In Summary

We take user security very seriously at Mozilla. Our add-on submission process includes automated and manual reviews that we continue to evolve and improve in order to protect Firefox users.

If you uncover a security vulnerability, please report it via our bug bounty program.