| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL, and
- Extension has permissions `webRequest` and `webRequestBlocking`
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
I have seen the sources of the first two extensions and they look similar.
Bug 1544315 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest` and `webRequestBlocking`
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}
{8a22255c-4737-11e9-a86b-0bb66337cb31}
{a9c33302-4c97-11e9-9a9d-af400df725e3}
{03dfffe0-509f-11e9-aa00-e7e13d49f3de}
{a9c33302-4c97-11e9-9a9d-af400df725e1}
{e555c358-121b-13fa-bf23-bb57da32d184}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.
- [6612 crash reports in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- [6480 crash reports including one of the above add-ons](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- The difference is 132, which is similar to the [122 from the previous week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-03T13%3A43%3A00.000Z&date=%3C2019-04-10T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which in turn is higher than the weeks before (at [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-27T13%3A43%3A00.000Z&date=%3C2019-04-03T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [61](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-20T13%3A43%3A00.000Z&date=%3C2019-03-27T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-13T13%3A43%3A00.000Z&date=%3C2019-03-20T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [65](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-06T13%3A43%3A00.000Z&date=%3C2019-03-13T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [67](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-02-27T13%3A43%3A00.000Z&date=%3C2019-03-06T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) crashes per week).
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.
- [6612 crash reports in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- [6480 crash reports including one of the above add-ons](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- The difference is 132, which is similar to the [122 from the previous week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-03T13%3A43%3A00.000Z&date=%3C2019-04-10T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which in turn is higher than the weeks before (at [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-27T13%3A43%3A00.000Z&date=%3C2019-04-03T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [61](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-20T13%3A43%3A00.000Z&date=%3C2019-03-27T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-13T13%3A43%3A00.000Z&date=%3C2019-03-20T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [65](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-06T13%3A43%3A00.000Z&date=%3C2019-03-13T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [67](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-02-27T13%3A43%3A00.000Z&date=%3C2019-03-06T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) crashes per week).
The following add-on IDs also matched the given criteria, but apparently they've already been blocked.
```
{8a22255c-4737-11e9-a86b-0bb66337cb31}
{a9c33302-4c97-11e9-9a9d-af400df725e3}
{03dfffe0-509f-11e9-aa00-e7e13d49f3de}
{a9c33302-4c97-11e9-9a9d-af400df725e1}
```
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.
- [6612 crash reports in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- [6480 crash reports including one of the above add-ons](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- The difference is 132, which is similar to the [122 from the previous week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-03T13%3A43%3A00.000Z&date=%3C2019-04-10T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which in turn is higher than the weeks before (at [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-27T13%3A43%3A00.000Z&date=%3C2019-04-03T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [61](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-20T13%3A43%3A00.000Z&date=%3C2019-03-27T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-13T13%3A43%3A00.000Z&date=%3C2019-03-20T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [65](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-06T13%3A43%3A00.000Z&date=%3C2019-03-13T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [67](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-02-27T13%3A43%3A00.000Z&date=%3C2019-03-06T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) crashes per week).
The following add-on IDs also matched the given criteria, but apparently they've already been blocked.
```
{8a22255c-4737-11e9-a86b-0bb66337cb31} - https://bugzilla.mozilla.org/show_bug.cgi?id=1535655
{a9c33302-4c97-11e9-9a9d-af400df725e3} - https://bugzilla.mozilla.org/show_bug.cgi?id=1538141
{03dfffe0-509f-11e9-aa00-e7e13d49f3de} - https://bugzilla.mozilla.org/show_bug.cgi?id=1540113
{a9c33302-4c97-11e9-9a9d-af400df725e1} - https://bugzilla.mozilla.org/show_bug.cgi?id=1539514
{e555c358-121b-13fa-bf23-bb57da32d184} - https://bugzilla.mozilla.org/show_bug.cgi?id=1540111
```
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{f9f072c8-5357-11e7-bb4c-c37ea2335fb4}
{b6d09408-a35e-11e7-bc48-f3e9438e081e}
{56a1e8d2-3ced-4919-aca5-ddd58e0f31ef}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}
{637212d8-3484-11e9-9812-005056b22b42}
{1c94bc8a-3ac1-12e1-aae7-0b314772229c}
{4a222e60-31de-1eca-8476-37565daf6afb}
{3fab603e-3ee1-1222-a859-5f85a3441216}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.
- [6612 crash reports in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- [6480 crash reports including one of the above add-ons](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B674fff65-6cd0-488a-9453-fb91fc3d7397%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- The difference is 131, which is similar to the [122 from the previous week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-03T13%3A43%3A00.000Z&date=%3C2019-04-10T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which in turn is higher than the weeks before (at [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-27T13%3A43%3A00.000Z&date=%3C2019-04-03T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [61](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-20T13%3A43%3A00.000Z&date=%3C2019-03-27T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-13T13%3A43%3A00.000Z&date=%3C2019-03-20T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [65](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-06T13%3A43%3A00.000Z&date=%3C2019-03-13T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [67](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-02-27T13%3A43%3A00.000Z&date=%3C2019-03-06T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) crashes per week).
The following add-on IDs also matched the given criteria, but apparently they've already been blocked.
`{8a22255c-4737-11e9-a86b-0bb66337cb31}` - bug 1535655
`{a9c33302-4c97-11e9-9a9d-af400df725e3}` - bug 1538141
`{03dfffe0-509f-11e9-aa00-e7e13d49f3de}` - bug 1540113
`{a9c33302-4c97-11e9-9a9d-af400df725e1}` - bug 1539514
`{e555c358-121b-13fa-bf23-bb57da32d184}` - bug 1540111
`{674fff65-6cd0-488a-9453-fb91fc3d7397}` - bug 1543924 (in progress).
| | |
|-|-|
|Extension name||
|Extension versions affected|<all versions>|
|Platforms affected|<all platforms>|
|Block severity|hard|
### Reason
Extensions are capable of executing remote code, and this fact is heavily obfuscated.
### Extension IDs
```
{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{637212d8-3484-11e9-9812-005056b22b42}
{4a222e60-31de-1eca-8476-37565daf6afb}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}
```
and likely others at [crash reports](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&build_id=%3E%3D20190115221511&version=%2165.0.2&version=%2165.0.1&version=%2165.0&version=%2160.5.1esr&date=%3E%3D2019-04-07T18%3A37%3A00.000Z&date=%3C2019-06-14T18%3A37%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons) for extensions with the following characteristics:
- `manifest.json` contains `content_security_policy` with a https:-URL (`script-src[^;]+https:`) (the https:-URL is seemingly innocent, such as a CDN URL), and
- Extension has permissions `webRequest`, `webRequestBlocking`, `storage`, `webNavigation`, `<all_urls>`.
- Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
- Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
- Extension's JavaScript code does not contain "webRequest".
I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).
EDIT: Expanded the list. The above list of add-ons [accounts for 1002 of the crash reports on April, 12th](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&date=%3E%3D2019-04-12T23%3A00%3A00.000Z&date=%3C2019-04-13T23%3A00%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which matches with my expectations from comment 1.
EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.
- [6612 crash reports in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports)
- [6480 crash reports including one of the above add-ons](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bf9f072c8-5357-11e7-bb4c-c37ea2335fb4%7D&addons=~%7Bb6d09408-a35e-11e7-bc48-f3e9438e081e%7D&addons=~%7B56a1e8d2-3ced-4919-aca5-ddd58e0f31ef%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B674fff65-6cd0-488a-9453-fb91fc3d7397%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) (EDIT3: after removing already-blocklisted add-ons from the list, [there are only 6376 matches](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B674fff65-6cd0-488a-9453-fb91fc3d7397%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports))
- The difference is 131, which is similar to the [122 from the previous week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-04-03T13%3A43%3A00.000Z&date=%3C2019-04-10T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), which in turn is higher than the weeks before (at [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-27T13%3A43%3A00.000Z&date=%3C2019-04-03T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [61](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-20T13%3A43%3A00.000Z&date=%3C2019-03-27T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [55](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-13T13%3A43%3A00.000Z&date=%3C2019-03-20T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [65](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-03-06T13%3A43%3A00.000Z&date=%3C2019-03-13T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports), [67](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&date=%3E%3D2019-02-27T13%3A43%3A00.000Z&date=%3C2019-03-06T13%3A43%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports) crashes per week).
The following add-on IDs also matched the given criteria, but apparently they've already been blocked.
`{8a22255c-4737-11e9-a86b-0bb66337cb31}` - bug 1535655
`{a9c33302-4c97-11e9-9a9d-af400df725e3}` - bug 1538141
`{03dfffe0-509f-11e9-aa00-e7e13d49f3de}` - bug 1540113
`{a9c33302-4c97-11e9-9a9d-af400df725e1}` - bug 1539514
`{e555c358-121b-13fa-bf23-bb57da32d184}` - bug 1540111
`{674fff65-6cd0-488a-9453-fb91fc3d7397}` - bug 1543924 (in progress).
EDIT3: The following have already been blocklisted, but they still show up in crash reports ([48 of them in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7Bba74c7ee-32b1-11e9-ade5-1f2222a4f325%7D&addons=~%7B1c94bc8a-3ac1-12e1-aae7-0b314772229c%7D&addons=~%7B3fab603e-3ee1-1222-a859-5f85a3441216%7D&date=%3E%3D2019-04-10T18%3A35%3A00.000Z&date=%3C2019-04-17T18%3A35%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-addons); not all crashes are attributable to them). I removed them from the original list, leaving the number of crashes covered by the above add-ons at [6376 in the past week](https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&signature=%3Dvoid%20mozilla%3A%3Aextensions%3A%3AStreamFilterParent%3A%3AInit&addons=~%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&addons=~%7Bf0780038-50b9-11e9-9c72-4ba2d8f2ec9f%7D&addons=~%7B22ffe411-2b0e-11e9-87f9-c329f1f9c8d2%7D&addons=~%7Bcf4bae43-026f-4e7e-a85a-952a7ca697a1%7D&addons=~%7B17052516-09be-11e9-a008-03419f6c8bc6%7D&addons=~%7B333fb3de-18a8-18e8-b6d3-e73213911efb%7D&addons=~%7Baa4abac2-1ffa-12aa-bbdd-9305cb2c1254%7D&addons=~%7B72222e70-2fd6-11e9-956b-27f7787b8d2d%7D&addons=~%7B637212d8-3484-11e9-9812-005056b22b42%7D&addons=~%7B4a222e60-31de-1eca-8476-37565daf6afb%7D&addons=~%7B7fc6d222-48d5-11e9-b586-17e94c73a1b1%7D&addons=~%7Be111c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B9674445c-8dff-4580-96b2-99442a7ae9af%7D&addons=~%7B8a22255c-4737-11e9-a86b-0bb66337cb31%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e3%7D&addons=~%7B03dfffe0-509f-11e9-aa00-e7e13d49f3de%7D&addons=~%7Ba9c33302-4c97-11e9-9a9d-af400df725e1%7D&addons=~%7Be555c358-121b-13fa-bf23-bb57da32d184%7D&addons=~%7B674fff65-6cd0-488a-9453-fb91fc3d7397%7D&date=%3E%3D2019-04-10T13%3A39%3A00.000Z&date=%3C2019-04-17T13%3A39%3A00.000Z&_facets=signature&_facets=version&_facets=addons&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports).
`{ba74c7ee-32b1-11e9-ade5-1f2222a4f325}` - bug 1529573
`{1c94bc8a-3ac1-12e1-aae7-0b314772229c}` - bug 1535655
`{3fab603e-3ee1-1222-a859-5f85a3441216}` - bug 1535655