What just happened? This year has seen online privacy become a real hot topic for the tech industry. It’s why Mozilla published a blog post that highlights several Firefox extensions for keeping your personal details safe from prying eyes. But one of these add-ons has been removed from the list for allegedly collecting and logging users’ browsing histories.
The ‘Web Security’ Firefox extension, created by Germany-based Creative Software Solutions, was one of Mozilla’s 14 favorite privacy extension. It already boasts 221,467 users, who it “actively protects […] from malware, tampered websites or phishing sites."
Soon after the extension appeared on Mozilla’s post, Raymond Hill, developer of the uBlock Origin ad blocker, took to Reddit to point out something unusual about Web Security: it was posting garbled data to a server in Germany.
A few days later, one user managed to decode the information, which turned out to be the URLs of visited websites. When Mozilla found out, the company removed the extension from its blog—it still recommends 14 add-ons, but only 13 are listed.
“We’ve received concerns from the community about the Web Security extension, and are currently investigating those concerns," a Mozilla spokesperson told The Register. "The reference to the extension has been removed from the blog post as part of the investigative process."
Creative Software Solutions says the reason the URLs are collected is to compare them against a global blacklist of sites, meaning that “the communication between the client and our servers is unavoidable.” It added that it does not log this communication and, as the servers are in Germany, it is bound by GDPR.
“Our add-on has also been processed by Mozilla's stringent Verification staff, which have specifically approved all communication that occurs. All data transferred should communicate securely, however as we take these privacy concerns very serious, I have already informed the developers to investigate the issue at hand, to verify and improve if possible,” said a spokesperson.
The Web Security extension is still available in the Firefox Add-ons Portal, but Creative plans to submit an updated version for review. "I am sure that if they look into the issue, they will see that this is a normal and necessary behavior," said managing director Fabian Simon.