Firefox flags Web of Trust add-on as suspicious, blocks by default

Trust-based app hasn’t been trustworthy for some time…

Web of Trust

Mozilla Firefox is now flagging the popular Web of Trust (WOT) browser add-on as suspicious and is disabling it by default.

On 25 January, users took to several of WOT's support forums to explain how they could no longer use the add-on on Firefox. Here's what one commenter said:

"I just started getting a message from firefox trying to disable and/or delete this app. It is citing some bull about it being unsafe etc. Would the devs please contact firefox and get this resolved or otherwise update their app? I would rather not have to keep manually enabling it. Thanks. I also cannot find the download for the app on this site. If anyone could please redirect me to the latest version so I can see if I indeed am running the latest version that would be great."

WOT works by sending clickable webpages to a central system while the user browses the internet. That system sources reviews and reputation scores to return a traffic color for each clickable page. If the color is green, that means it's safe. If it's red, that means a user should visit the page only at their own risk.

Screen shot 2011 03 24 at 3 30 35 pm

According to WOT, 140 million users employ the browser add-on to ensure a safer browsing experience. It's therefore not surprising that so many Firefox users were alarmed when they saw this window pop up.

Screen shot 2017 01 26 at 9.36.59 am

"Web of Trust 20170120 and lower has been blocked for your protection.

"Why was it blocked?

"Versions 20170120 and lower of the Web of Trust add-on send excessive user data to its service, which has been reportedly shared with third parties without sufficient sanitization. These versions are also affected by a vulnerability that could lead to unwanted remote code execution.

"Who is affected?

"All Firefox users who have these versions of the Web of Trust add-on installed.

"What does this mean?

"The problematic add-on or plugin will be automatically disabled and no longer usable."

Sharing information with third parties? Remote code execution? Sheesh, none of that sounds good. But these issues just arose, right?

Wrong.

Back in the fall of 2016, the German public radio and television broadcaster Norddeutscher Rundfunk (NDR) revealed that WOT creates a user profile of sorts containing a user ID along with the date, time, location, and transmitted webpages.

These profiles, which WOT maintains are anonymous, allowed NDR reporters to deanonymize at least 50 different users using their email addresses, names, and other bits of information. Mike Kuketz, who participated in NDR's research, confirmed those findings in his own blog post.

Mozilla received word of the report on 1 November 2016. Just one day later, an audit performed by Rob Wu revealed an even bigger problem: the WOT add-on could execute arbitrary code on any page, meaning the company could infect users with malware or steal their banking credentials if it so chose.

Firefox removed the add-on from addons.mozilla.org around the time Wu performed his audit. That Mozilla is now blocking WOT completely suggests it is stepping up its efforts to protect users against malicious activity.

To its credit, WOT said in a forum comment that it's working on patching the remote code execution bug. But it hasn't addressed the deanonymization issue. Until it does, it might behoove users to uninstall the add-on and go with a safer alternative.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

4 Responses

  1. Orties

    January 26, 2017 at 10:59 pm #

    Any recommendations on 'a safer alternative'?

    • Bob in reply to Orties.

      January 26, 2017 at 11:37 pm #

      Kaspersky has excellent integrated Safe Browsing Protection.

  2. linux

    January 29, 2017 at 6:35 pm #

    https://addons.mozilla.org/en-US/firefox/addon/trafficlight/

  3. Sean S.

    April 12, 2017 at 8:55 am #

    This is bullsh**. I'm sorry, but I trust WoT a hell of a lot more than Mozilla, especially after they decided to rape us add-on developers from behind by requiring the use of WebExtensions and taking any form of customization away from end-users. Firefox does NOT have the right to tell its users what software to use, whether it's Web of Trust (for which I just finished coding a work-around by writing an executable program that calls the API from my computer) or the addons written for Firefox. Last I checked, Mozilla was not my mother, boss or god. This is what Google (Chrome and nearly *every* other so-called "service" it has), Microsoft (with its enforced automatic updates in Windows 10) and other multi-billion dollar conglomerates have been doing all along, which is the only reason I and the other 17 users who stuck with Firefox until now have done so. After 57 goes live though, Firefox WILL be finished within a year or two. I'm sure I'll receive some hateful comments from this, but it's the truth. Anyone who disagrees will just have to wait and realize it. I on the other hand will not brown-nose Google and Chrome any longer, and neither will the vast majority of add-on developers for Firefox, if the comments, forums and literally *pleas* from my fellow programmers are any indication. I've yet to find more than 6 or 7 *positive* responses to this on *any* site, so anyone who *does* continue using Firefox foolishly will either have to write their own add-ons or pay a developer to write it for them, and that goes for Mozilla, too. If I sound angry, it's because I was betrayed by what I perceived as an Open non-profit organization, but that'll change soon. They're behaving exactly like Google, and I wouldn't be surprised if they changed their 501 status soon. Pathetic!

Leave a Reply