Malicious add-on uses proxy API to prevent Firefox from obtaining security updates

Mozilla announced that the company has removed two extensions from the Firefox browser store, and these two extensions are considered malicious.

The extensions named BYPASS and BYPASS XM have accumulated a total of 455,000 users. Firefox directly deletes malicious extensions on the client-side through cloud policies.

Firefox browser users should check the IDs of these extensions (Bypass” (ID: 7c3a8b88-4dc9-4487-b7f9-736b5f38b957) or “Bypass XM” (ID: d61552ef-e2a6-4fb5-bf67-8990f0014957)). If you find that they have not been automatically removed, please manually delete these extensions.

Most malicious extensions steal user data or hijack access to load advertisements, etc. However, the malicious behavior of the malicious extensions discovered this time is puzzling.

The analysis found that the extension program will call the proxy API interface after installation. The normal purpose of the interface is to initiate the proxy and take over all access requests from the browser at the same time.

The purpose of the malicious extension call turned out to be to prevent the Firefox browser from connecting to the server through some kind of prevention, thereby preventing the Firefox browser from obtaining the latest security updates.

For now, Mozilla has not announced the other malicious purposes of these extensions, so what is the purpose of simply preventing Firefox from obtaining security updates?

Based on security considerations, Mozilla also announced that it will suspend the approval of any extensions that need to call the proxy API interface until this problem is completely resolved.

At the same time, Mozilla has deployed a system add-on called proxy failover through a cloud strategy, which can automatically solve problems locally.

If you are in doubt, please go to the Firefox extension page to search for the following extensions and corresponding IDs. If they are not automatically deleted, please delete them manually.