Mozilla disables password-stealing Firefox add-on

Mozilla Sniffer is downloaded about 1,800 times before being disabled and blocked for stealing passwords.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

July 14, 2010 4:03 p.m. PT

Mozilla has disabled and added to a block list a Firefox add-on that stole log-in information when users visited Web sites, the company says.

The software, called Mozilla Sniffer, had been downloaded about 1,800 times in the approximately five weeks it was available on addons.mozilla.org, Mozilla reported in a blog post on Tuesday.

The blocklist will prompt the add-on to be uninstalled for computers running the program. Users who installed it should change their passwords.

Mozilla Sniffer intercepts login data and sends it to a remote server that appeared to be down, according to the blog post.

The software was not developed by Mozilla, nor was it reviewed by the company. Unreviewed add-ons are scanned for viruses, Trojans and other malware, but some malicious activity can only be detected by reviewing the code, Mozilla said.

"We're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site," the company said.