Mozilla announced that it discovered in early June that a malicious Firefox add-on installed by approximately 455,000 users was abusing the proxy API to block Firefox updates and blocked the add-on in question
This add-on (“Bypass” and “Bypass XM”) was found to be using APIs to intercept and redirect web requests, blocking users from downloading updates, updating remotely configured content, and accessing updated blocklists. We know that the API was used to intercept and redirect web requests, blocking users from downloading updates, updating remotely configured content, and accessing updated block lists.
To prevent more users from being affected by the submission of new add-ons that exploit the proxy API, we have suspended approval of add-ons that use the proxy API until a fix is available to all users.
Beginning with Firefox 91.1, if Firefox fails an important request (such as an update) through a proxy setting, it will fall back to a direct connection.
The successful completion of these requests allows us to provide the latest critical updates and protections to our customers.
In order to block similar malicious add-ons that exploit the same API, Mozilla has added a system add-on named Proxy Failover (hidden, cannot be disabled, and can be updated without a reboot).
This new add-on blocks attempts to interfere with the update mechanism for current and past Firefox versions.
Block the installation
Mozilla has not disclosed whether the two add-ons were doing anything else malicious in the background, but we have found that they were most likely using reverse proxies to bypass paid sites.
However, this add-on put Mozilla’s domain in the list of “paywalls” that pay for some content, and blocked browser updates.
How to make sure you are not affected
Mozilla recommends that users update their web browsers to at least the latest release version (Firefox 93). This will help protect users from add-ons that exploit the proxy API.
Also, if you are using Windows, please make sure you are running Microsoft Defender.
Using Firefox 93 and Defender together will help protect you from this issue
Microsoft Defender is an anti-malware solution that detects add-ons as malicious and tags them as BrowserModifier:JS/BypassPaywall.
If you are not using Firefox 93 and do not have browser updates disabled, you may be affected by this issue.
Please update Firefox to the latest version just in case, Firefox ships with an up-to-date blocklist to automatically disable these malicious add-ons.
If you are still unable to update Firefox, you can also follow these steps to find and remove any add-ons that are preventing you from upgrading to the new version.
Go to the Troubleshooting Information page.
In the “Add-ons” section, search for the following entry.
Bypass
ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}
BypassXM
ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}
Note: Please make sure that the IDs match exactly. There may be other unrelated add-ons that use these or similar names.
If these IDs do not appear in the list, they are unaffected.
To make sure there are no traces left, you can refresh Firefox and reset all add-ons and settings, or you can download and install Firefox anew and start over.
Comments