CNET reports Mozilla's add-on website was home to a password-stealing application named Mozilla Snifer. The application was downloaded about 1,800 times in the five weeks it was available, as the application's malicious activity went undetected until July 12th. Mozilla responded by deleting the add-on and added it to the blocklist, which will prompt the add-on to be uninstalled for all current users. To prevent similar issues in the future, Mozilla is working on a new add-on security model that will require all add-ons to be code-reviewed before they are published on addons.mozilla.org.
Mozilla Sniffer intercepts login data and sends it to a remote server that appeared to be down, according to the blog post.
The software was not developed by Mozilla, nor was it reviewed by the company. Unreviewed add-ons are scanned for viruses, Trojans and other malware, but some malicious activity can only be detected by reviewing the code, Mozilla said.
"We're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site," the company said.