Mozilla has disabled and added to a block list a Firefox add-on that stole log-in information when users visited Web sites, the company says.
The software, called Mozilla Sniffer, had been downloaded about 1,800 times in the approximately five weeks it was available on addons.mozilla.org, Mozilla reported in a blog post on Tuesday.
The blocklist will prompt the add-on to be uninstalled for computers running the program. Users who installed it should change their passwords.
Mozilla Sniffer intercepts login data and sends it to a remote server that appeared to be down, according to the blog post.
The software was not developed by Mozilla, nor was it reviewed by the company. Unreviewed add-ons are scanned for viruses, Trojans and other malware, but some malicious activity can only be detected by reviewing the code, Mozilla said.
"We're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site," the company said.