User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160905130425
Steps to reproduce:
Please unlist Web of TrusT (WOT) Addon from https://addons.mozilla.org.
The addon is spyware and sells your privat data! Can be traced back to individual persons!
German NDR (Northern German Broadcasting) is a public radio and television broadcaster discovered the WOT-Addon is spyware, see here (website is in german language):
See also (websites are in german language):
Translated using google translate:
1. Unlist Web of TrusT (WOT) Addon from your website: https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
2. Disable already installed Web of TrusT (WOT) addons like you do with old and unsecure Adobe Flash plugins.
More technical details (german language):
Translated using google translate:
We haven't decided if this is happening yet. I just moved it to the right component.
I found evidence of a critical issue: WOT is able to remotely executing arbitrary commands on any page (including privileged parts of Firefox) if they wanted to.
For the full analysis, see https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b
(In reply to Rob Wu [:robwu] from comment #3)
> I found evidence of a critical issue: WOT is able to remotely executing
> arbitrary commands on any page (including privileged parts of Firefox) if
> they wanted to.
It's worth pointing out that remote code execution is not a rare occurrence in add-ons, though we generally don't allow it (sometimes it's overlooked by reviewers).
Thank you for the detailed report, though, it should make it easier to determine what to do here.
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> (In reply to Rob Wu [:robwu] from comment #3)
> > I found evidence of a critical issue: WOT is able to remotely executing
> > arbitrary commands on any page (including privileged parts of Firefox) if
> > they wanted to.
> It's worth pointing out that remote code execution is not a rare occurrence
> in add-ons, though we generally don't allow it (sometimes it's overlooked by
Indeed, add-ons such as userscript managers have a legitimate need for code execution. But WOT does not need this ability, and definitely not the ability to run remote code anywhere, including about: pages (such as about:preferences). That power enables WOT to seize control of a computer if they wanted to, so the add-on (versions 20090918 until 20151208) should be blacklisted. Once they upload a new version without this "feature", we can reconsider listing the add-on.
(Note: I'm the original author of this extension, but haven't been affiliated with it for the past few years, during which time I believe there's been an ownership change.)
(In reply to Rob Wu [:robwu] from comment #5)
> But WOT does not need this ability, and definitely not the
> ability to run remote code anywhere
This functionality was quite necessary in 2009 when mutation observers didn't exist and Google started switching to dynamic search result pages. I fully agree that it shouldn't be needed these days though.
However, the actual issue that's being widely discussed in German media, which both you and AMO reviewers at the time appear to have completely missed was introduced in 2015 in this commit:
This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users.