Firefox addon Web Security transfers private data

[German]It isn't a nice story so far: Mozilla's developers have recommended the addon Web Security for a short time to protect privacy and to secure the browser. However, this addon transmits the URLs and other (possibly private or sensitive) data of the visited websites while surfing, and this via an unencrypted connection. Here are some details on the subject.


Advertising

What is the Web Security addon?

Web Security is an addon for the Firefox browser, which can be downloaded from this Mozilla adddon website.

Firefox Addon Web Security
(Click to zoom)

The developer advertises with 'Live Web Security actively protects you from malware, tampered websites or phishing sites that aim to steal your personal data.' The description says:

Protect your computer and your privacy!

Web Security is a sophisticated browser add-on that uses advanced real-time protection technology as well as an extensive database to prevent websites from harming your computer or obtaining your sensitive data.
Experts have found that the number of attacks and threats of malware and phishing scams have drastically increased and due to their increased complexity, it becomes harder to detect, and prevent. But Web Security uses state-of-the-art technology to identify these and protect the users from entering these potentially dangerous pages.
Users are often lured to open counterfeit websites of banks, by convincing emails. The free and easy to install Web Security add-on will help you detect these counterfeit sites so that you will not be decoyed to enter your sensitive information where it is not safe.
— Update 1.0.1 —–
We are currently working on update 1.0.1, to ensure all data is encrypted with SSL. The update will be available very soon.

The last update has been added, since I've published the German version of this article and since the topic spreads through several blogs.

Reading the first paragraph, my alarm bells are ringing, as I'm talking about an extensive database that is used to check the URLs called up in real time. In plain text: There all URLs will be transferred to the developer of the addon.


Advertising

Mozilla's temporary recommendation for Web Security

On August 9, 2018 Mozilla still recommended this addon in a blog post (Make your Firefox browser a privacy superpower with these extensions). In the meantime, however, this recommendation has been deleted – it can only be recognized indirectly, as the sentence 'We've put together a collection of 14 of our favorite privacy extensions, all made to help give you more control of your personal information' appears in the text. I can only count 13 entries. But German security expert Mike Kuketz, who came across the story, documented the original paragraph in his blog as:

Web Security is a sophisticated browser add-on that uses an extensive database to prevent websites from harming your computer or obtaining your sensitive data. Users are often lured to open counterfeit websites of banks, by convincing emails. The Web Security extension will help you detect these counterfeit sites so that you will not be decoyed to enter your sensitive information where it is not safe.

He warns: Until further notice, you should not use the addon. Apparently, the Mozilla executives withdrew the recommendation for the addon and deleted the paragraph.

Some more background

Mike Kuetz, a German security expert, has inspected the data, the addon transfers during surfing with Firefox. He described what he found within his security blog (here is my translation):

  • The transmitted user data is somehow obfuscated. But the data transmission is using an unprotected http connection. The user don't know what is really being transmitted.
  • Every domain visited and every change of URL triggers a data transfer. This is also logical, because the addon promises to protect against bad URLs and should match the URL with a database.

Kuketz writes that the data trasnfered are critical in terms of privacy , similar to 'Web of Trust' data scandal (see my blog post Web of Trust harvesting and selling user's surfing data). In a second German blog post, Kuketz refers to a German forum post where someone writes that the decryption routine is in the include/background.js file. Using this function it was possible to decrypt the transmitted data set. Here is an example from the forum, which tells you exactly what is transferred (a surveillance, what the surfer does).

<id|35237841|id>
<hash|1|hash>
<app|web_security|app>
<agent|FF|agent>
<app_data|;
<oldUrl;|http://blog.fefe.de/;|oldUrl;>;
<newUrl;|https://www.kuketz-blog.de/;|newUrl;>;
<oldHost;|blog.fefe.de;|oldHost;>;
<newHost;|www.kuketz-blog.de;|newHost;>;
<hash;|67918192;|hash;>;
<language;|de;|language;>|app_data>

The transmission is made to the IP address "136.243.163.73" – this is a Hetzner server in Germany. Since the developer of the addon is Creative Software Solutions GmbH from Hameln, Germany, this is not surprising. The privacy policy (https://addons.mozilla.org/de/firefox/addon/web-security/privacy/) of the add-on names Creative Software Solutions GmbH and also provides information about the data collection.

2. Non-personally identifiable information that is collected automatically by Creative Software Solutions GmbH:

When the user opens the pages, used by Web Security, the following information gets processed to assure the successful operation of Web Security: the web pages that the user opens or the operating web server, the name of the internet service provider of the user and the website from which the user came from and the sub-pages the user opened. Otherwise, the user might not be warned of harmful sites. No personal information is collected by Creative Software Solutions GmbH automatically. The date and duration of the individual page visits will be stored by Creative Software Solutions GmbH in an anonymous form and checked against a database operated by Creative Software Solutions GmbH to alert the user about malicious sites, so that the purpose of the contract is fulfilled.

The usual text 'we transfer the data (URLs) of the accessed websites, which provider is behind it and from where a new page is accessed' – of course only to be able to perform the addon's browser protection function. Creative Software Solutions GmbH does not collect or store any personal data'.

Sounds good, since the 'Web of Trust' incident it should be clear, there is no 'anonymous data'. When you get the data, you can often determine the person concerned on the basis of the surfing history via the URLs of the pages visited. A web search revealed the following business purpose on the basis of the extracts from the commercial register for the GmbH:

Development and marketing of software. Development and design of ad server technology and trade with advertising space for targeted traffic..

Now I don't want to say, that Creative Software Solutions GmbH try to collect the URLs, make them anonymous and then sell them (I have no evidence). But the combination of capturing all URLs and information about where you come from, the coding of the information, the transmission via http (which will be now shifted to SSL), should sound the alarm bells of every thinking person. A function you don't need, so keep your hands off this addon.

The One star reviews (https://addons.mozilla.org/de/firefox/addon/web-security/reviews/) of the addon are quite revealing. One claims that the addon did not prevent a malicious redirect to malware.

I visit a website I knew had been hacked and was redirecting to malware sites. I had no way to check if it had been fixed yet without visiting. Firefox was not blocking the malware redirects, so I got this addon. It didn't block the malware redirects, either.

Another writes an even stranger observation that the addon was installed in Firefox without his consent (possibly by pilot):

Where did this extension come from? I never installed this, noticed when Firefox started acting up and found this in my addons.

Well, we should take these ratings with caution. But it helps to scale that situation, because the sum of all puzzle pieces makes the whole picture. Mike Kuketz strongly discourages the use of the addon, and I can only agree with that. Martin Brinkmann has also addressed the topic in this article on ghacks.net. He came to the same conclusions and complained that the Mozilla people did not test and now simply removed the text with the recommendation without informing the users. Since this initial reports, the story spreads through the web and articles may be found at The Register, Bleeping Computer and other sites.

Note: Mozilla has removed now this and other 22 addons for privacy issues from addon repository.

Addendum: A word from the Addon developer

I reveived the text below with further explanation from the addon developer (or I need to say from his boss).


Dear community, dear Günter Born,

we would like to take a stand on the events of the last days.

Without question we made mistakes in our free addons for which we would like to sincerely apologize. Further it is our mission to in any form about the issues and the future improvements.

Encryption (SSL): The communication of our addons with the servers was not completely encrypted. This has been fixed on the server side and an update for the addons is ready and can be rolled out as soon as Mozilla unlocks the addons.

For improved transparency, we would like to explain what data has been transmitted and the purpose of this transfer.

We transfer the following data:
– ID
– Old URL / old host
– New URL / new host
– hash
– App
– Agent
– Language

We use the ID to build a security chain that can consist of up to 5 consecutive requests. Should the user enter a malicious website, then the transferred "old URL" and the "new URL" can be used to track from which website the user came to this malicious website.

With this system, malicious pages get a "red" rating. Pages that link to "red" pages receive a "yellow" rating.

All this data is used to improve our heuristics and threat analysis. The transmitted data is stored for a maximum of 15 minutes on our German servers and cannot be used to identify a natural person.

We use to transfer "App", "Agent", "Language" and "Hash" for statistical reasons. As part of the updates, however, this data will be removed in the next update.

In order to avoid ambiguity, we will further clarify the explanations of what data is transferred and what it is used for in more detail.

Remote Code Execution: Unfortunately, in the course of any continuous software development project remnants of old program code are always left behind. Such was the case for us, however as reported in 7 out of 10 addons this program code was no longer functional.

In the past, this feature was used to quickly alert the user of critical threats without having to undergo the time-consuming update procedure. Mozilla's new update policy makes this feature obsolete and this the functionality is no longer in use. With the future update, the remaining fragments will be permanently removed. In addition, we will improve our quality assurance management to avoid such code snippets or errors in the.

We regret the incident and would like to have the opportunity to regain the confidence placed in us by the users.

Best Regards,
Fabian Simon


Added Notes: The addon has been removed (among other 22 addons) from Mozilla's repository. To allow you to juge the value of this statement, here is a link to a German forum post. It reveals the organisational structure of a holding, founded by Mr. Simon. And the forum post sheds lights on activities of Mr. Simon within the past (looks a lot like 'gray matter' imho). I guess Google translate will do the job. In a nutshell: The people around Creative Software Solutions GmbH has never been involved into 'computer security' (their business is more dedicated to SEO and data harvesting) – so it's rather suspicious, that they offer a 'privacy and security addon' (that collects URLs from visited web sites).

Similar articles:
Web of Trust harvesting and selling user's surfing data
Firefox Focus: The 'Privacy Browser' with build in user tracking
Mozilla's DNS Single Point of Failure build into Firefox
CCleaner 5.45 pulled and other peculiarities


Advertising

This entry was posted in browser, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).