{"id":2820,"date":"2021-10-25T10:04:33","date_gmt":"2021-10-25T17:04:33","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2820"},"modified":"2021-10-25T23:43:45","modified_gmt":"2021-10-26T06:43:45","slug":"securing-the-proxy-api-for-firefox-add-ons","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/","title":{"rendered":"Securing the proxy API for Firefox add-ons"},"content":{"rendered":"<p>Add-ons are a powerful way to extend and customize Firefox. At Mozilla, we are committed not only to supporting WebExtensions APIs, but also ensuring the safety and reliability of the ecosystem for the long term.<\/p>\n<p>In early June, we discovered add-ons that were misusing the <a href=\"https:\/\/developer.mozilla.org\/docs\/Mozilla\/Add-ons\/WebExtensions\/API\/proxy\">proxy API<\/a>, which is used by add-ons to control how Firefox connects to the internet. These add-ons interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.<\/p>\n<p>In total these add-ons were installed by 455k users.<\/p>\n<p>This post outlines the steps we have taken to mitigate this issue as well as provide details of what users should do to check if they are affected. Developers of add-ons that use the proxy API will find some specific instructions below that are required for future submissions.<\/p>\n<p>&nbsp;<\/p>\n<h3>What have we done to address this?<\/h3>\n<p>The malicious add-ons were blocked, to prevent installation by other users.<\/p>\n<p>To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users.<\/p>\n<p>Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users. We also deployed a <a href=\"https:\/\/firefox-source-docs.mozilla.org\/toolkit\/mozapps\/extensions\/addon-manager\/SystemAddons.html\">system add-on<\/a> named \u201cProxy Failover\u201d (ID: proxy-failover@mozilla.com) with additional mitigations that has been shipped to both current and older Firefox versions.<\/p>\n<p>&nbsp;<\/p>\n<h3>As a Firefox user, what should I do next?<\/h3>\n<p>It is always a good idea to keep Firefox up to date, and if you\u2019re using Windows to make sure <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-antivirus-windows\">Microsoft Defender<\/a> is running. Together, Firefox 93 and Defender will make sure you&#8217;re protected from this issue.<\/p>\n<p>First, <a href=\"https:\/\/support.mozilla.org\/kb\/find-what-version-firefox-you-are-using\">check what version of Firefox you are running<\/a>. Assuming you have not disabled updates specifically, you should be running at minimum the <a href=\"https:\/\/wiki.mozilla.org\/Release_Management\/Calendar\">latest release version<\/a>, which is Firefox 93 as of today (or Firefox ESR 91.2). If you are not running the latest version, and have not disabled updates, you might want to check if you are affected by this issue. First, <a href=\"https:\/\/support.mozilla.org\/kb\/update-firefox-latest-release\">try updating Firefox<\/a>. Recent versions of Firefox come with an updated blocklist that automatically disables the malicious add-ons. If that doesn\u2019t work, there are a few ways to fix this:<\/p>\n<ul>\n<li aria-level=\"1\">Search for the problematic add-ons and remove them.\n<ol>\n<li aria-level=\"1\">Visit the <a href=\"https:\/\/support.mozilla.org\/kb\/use-troubleshooting-information-page-fix-firefox#w_accessing-the-troubleshooting-information-page\">Troubleshooting Information page<\/a>.<\/li>\n<li aria-level=\"1\">\n<div>\n<div>In the Add-ons section, search for one of the following entries:<\/div>\n<div><\/div>\n<div>Name: Bypass<\/div>\n<div>ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}<\/div>\n<div><\/div>\n<div>Name: Bypass XM<\/div>\n<div>ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}<\/div>\n<div><\/div>\n<div>Please make sure the ID matches exactly as there might be other, unrelated add-ons using\u00a0 those or similar names. If none of those IDs are shown in the list, you are not affected.<\/div>\n<div><\/div>\n<div>If you find a match, follow <a href=\"https:\/\/support.mozilla.org\/kb\/disable-or-remove-add-ons\">these instructions<\/a> to remove the add-on(s).<\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\">Try <a href=\"https:\/\/support.mozilla.org\/kb\/refresh-firefox-reset-add-ons-and-settings\">refreshing Firefox<\/a>, which will reset your add-ons and settings.<\/li>\n<li aria-level=\"1\">You can also head over to <a href=\"https:\/\/www.mozilla.org\/firefox\/all\">download a new copy of Firefox<\/a> if needed.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>As a Firefox add-on developer, what should I do next?<\/h3>\n<p><i>Note: The following only applies to add-ons that require the use of the proxy API.<\/i><\/p>\n<p>We are asking all developers requiring the proxy API to start including a <a href=\"https:\/\/developer.mozilla.org\/docs\/Mozilla\/Add-ons\/WebExtensions\/manifest.json\/browser_specific_settings\">strict_min_version<\/a> key in their manifest.json files targeting \u201c91.1\u201d or above as shown in this example:<\/p>\n<pre><code>\u201cbrowser_specific_settings\u201d: {<\/code> <code>\u00a0\u00a0\u201cgecko\u201d: {<\/code> <code>\u00a0 \u00a0 \u201cstrict_min_version\u201d: \u201c91.1\u201d<\/code> <code>\u00a0\u00a0}<\/code> <code>}<\/code><\/pre>\n<p>Setting this explicitly will help us to expedite review for your add-on; thank you in advance for helping us to keep Firefox users secure.<\/p>\n<p>&nbsp;<\/p>\n<h3>In Summary<\/h3>\n<p>We take user security very seriously at Mozilla. Our add-on submission process includes automated and manual reviews that we continue to evolve and improve in order to protect Firefox users.<\/p>\n<p>If you uncover a security vulnerability, please <a href=\"https:\/\/www.mozilla.org\/security\/web-bug-bounty\/\">report it via our bug bounty program<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Add-ons are a powerful way to extend and customize Firefox. At Mozilla, we are committed not only to supporting WebExtensions APIs, but also ensuring the safety and reliability of the &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/\">Read more<\/a><\/p>\n","protected":false},"author":1773,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69],"tags":[],"coauthors":[466099,282914],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Securing the proxy API for Firefox add-ons - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rachel Tublitz, Stuart Colville\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/\",\"name\":\"Securing the proxy API for Firefox add-ons - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2021-10-25T17:04:33+00:00\",\"dateModified\":\"2021-10-26T06:43:45+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c995016ae62a6559a916174192c365cb\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing the proxy API for Firefox add-ons\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c995016ae62a6559a916174192c365cb\",\"name\":\"Rachel Tublitz\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a1d837f8cdb2f098ebbd2c8bd8d167f3\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/720492ff5bb5e186e18dbf3caf9b1d73?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/720492ff5bb5e186e18dbf3caf9b1d73?s=96&d=identicon&r=g\",\"caption\":\"Rachel Tublitz\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing the proxy API for Firefox add-ons - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/","twitter_misc":{"Written by":"Rachel Tublitz, Stuart Colville","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/","name":"Securing the proxy API for Firefox add-ons - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2021-10-25T17:04:33+00:00","dateModified":"2021-10-26T06:43:45+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c995016ae62a6559a916174192c365cb"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/25\/securing-the-proxy-api-for-firefox-add-ons\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Securing the proxy API for Firefox add-ons"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c995016ae62a6559a916174192c365cb","name":"Rachel Tublitz","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a1d837f8cdb2f098ebbd2c8bd8d167f3","url":"https:\/\/secure.gravatar.com\/avatar\/720492ff5bb5e186e18dbf3caf9b1d73?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/720492ff5bb5e186e18dbf3caf9b1d73?s=96&d=identicon&r=g","caption":"Rachel Tublitz"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2820"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1773"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2820"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2820\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2820"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}