Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Dwindling Trust in Firefox as Mr. Robot Promotion Goes Awry

Dwindling Trust in Firefox as Mr. Robot Promotion Goes Awry

When trying to promote a tie-in with a TV show about hacking, Firefox should have known not to actually compromise people’s privacy.  On Friday, December 15th, users of Firefox’s new Quantum version of the browser noticed a new plug-in was installed without their consent.  “Looking Glass 1.0.3” showed up as a disabled extension and when users further investigated, they were met with a very cryptic message of “MY REALITY IS JUST DIFFERENT THAN YOURS”

Looking Glass was part of USA Network’s Mr. Robot’s long-running alternative reality game.  According to Mozilla, the plug-in was designed as a “shared experience to further your immersion into the Mr. Robot universe” Users would have to explicitly enable the plug-in in order to see its effects, but this left many Firefox Quantum users more than a bit alarmed for a number of reasons:

  1. Unknown Mozilla developers can distribute addons to users without their permission

  2. Mozilla developers can distribute addons to users without their knowledge

  3. Mozilla developers themselves don't realize the consequences of doing this

  4. Opening the addons window reverts configuration changes which disable experiments

  5. The only way to properly disable this requires fairly arcane knowledge Firefox preferences lockpref()

Based on the details unearthed by affected users, the add-on was developed by Mozilla's Shield Studies program, a platform available on all Firefox channels that gives you a way to test features before they're released. Some Shield studies ask for your permission to opt in, others automatically make their way to your browser and require you to actively opt out. The problem is that some weren't even aware that they're part of the Shield program, so they had no idea where the extension could've come from.

Worsening the PR nightmare, Mozilla made an initial bug report regarding this plug-in private and locked another bug report and deleted comments from several angry users.  One of Mozilla’s developers tweeted:

            “How can we claim to be pro-privacy while surreptitiously installing software on people’s computers?  More importantly, how did management not see this as a problem?”

Based on the details unearthed by affected users, the add-on was developed by Mozilla's Shield Studies program, a platform available on all Firefox channels that gives you a way to test features before they're released. Some Shield studies ask for your permission to opt in, others automatically make their way to your browser and require you to actively opt out. Problem is, some weren't even aware that they're part of the Shield program, so they had no idea where the extension could've come from.

Zscaler offers browser control and vulnerability protection.  It is unclear if Looking Glass would make a browser vulnerable, but Zscaler administrators have the option of blocking Firefox Quantum until their plug-in policy improves.

Further reading:

https://www.engadget.com/2017/12/16/firefox-mr-robot-extension/

https://techcrunch.com/2017/12/15/mozillas-mr-robot-promo-backfires-after-it-installs-firefox-extension-without-permission/

https://gizmodo.com/mozilla-slipped-a-mr-robot-promo-plugin-into-firefox-1821332254

2017, A Year in Review

2017, A Year in Review

The Rise of Malware Exploiting Code Signing Certificates

The Rise of Malware Exploiting Code Signing Certificates