Privacy concerns over popular ShowIP Firefox add-on

Filed Under: Featured, Firefox, Privacy

ShowIPA popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.

According to the description on the Mozilla add-ons website, ShowIP is designed to "show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc. Additionally you can copy the IP address to the clipboard."

Currently over 170,000 people are said to be using ShowIP.

What the add-on's description doesn't say is that since version 1.3 (released on April 19th 2012) it has also sent - unencrypted - the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.

The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.

SophosLabs researcher Xiaochuan Zhang examined the add-on, and observed the potential privacy breach in action. In the following example, he used Wireshark to view the network packets being sent and observed his request to visit a non-existent website "www.thisisapparentlyafakeservice.me" being shared with ip2info.org.

Wireshark results

The full URL of every webpage visited is sent to the Germany-based ip2info.org website, using unencrypted connections.

In addition, the add-on has no warning that sites you visit might be disclosed, no privacy policy small print explaining its behaviour, and no apparent way to opt-out of the data-sharing.

ShowIP settings

Sanders told Naked Security that the issue was reported on the add-on's Google Code project page on 22nd April, but has received no response. Despite the alert, version 1.4 of the ShowIP add-on has since been released - and still exhibits the same behaviour.

Warning posted about privacy issue

Sanders said that he hoped the apparent privacy lapse was the case of naivety rather than a developer with more malicious intentions:

"I suspect it's the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved on the Mozilla Addons site (not once, but twice) and how it's still there 12 days later."

The ip2info.org website itself appears to be very new, having only been registered a month ago.

IP2Info WHOIS

And who appears to have registered the domain? A Berlin-based link marketing firm.

Hats On Marketing firm

Hmm.

We have asked the developers of ShowIP to comment on the apparent privacy issue, and will update this article with any response we receive.

Update: Mozilla has rolled the version of ShowIP they make available on their add-on site back to 1.0. They say they are working with the developer on correcting the issue. Hopefully in future their review process will flag privacy issues like this one to prevent users' data being potentially exposed.

Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article, and to Rob Sanders for the original tip.

, , , , , ,

You might like

25 Responses to Privacy concerns over popular ShowIP Firefox add-on

  1. @777productions · 719 days ago

    I think it's DISGUSTING that this happened...makes one wonder how many other addons are going to leak similar information to 3rd parties...makes me wonder if anyone should ever use firefox again ...

    • 666productions · 719 days ago

      Wrong. They should just not use add-ons, either Firefox or Chrome.

    • Harry pollard · 719 days ago

      Just checked the website and it's an ip lookup site much like the add-on. Maybe it gets data from there.

      • Caleb · 718 days ago

        If you read the article it said it was sending the information there, not receiving it. Plus you don't need an addon of any sort to find the ip of any website, just open your command prompt and type ping <webaddress> and you'll get all the same info that that addon gives you.

  2. dozykraut · 719 days ago

    Hats On and its creator efamous are fly-by-night owner operated shams. The registrant address in Hofheim is too small to swing a cat.

    I assume the Berlin address is a mail drop.

    The phone number in the domain registration is for a pre-paid mobile from generics retailer ALDI.

    • Robert W. · 719 days ago

      Nice going, more details exposed about this nefarious activity and persons
      behind it. Keep it coming!

  3. Mrtt · 719 days ago

    There is a place to "report abuse" on the right side of the Firefox addon page underneath "write review". Feel free to do that.
    https://addons.mozilla.org/en-US/firefox/addon/sh...

  4. Thiyag · 719 days ago

    Looks like Mozilla has rolled it back to version 1.0 from May 31, 2011.

  5. Freida Gray · 719 days ago

    I use Firefox but have never used this add-on, & never will after this article.

  6. Freida Gray · 719 days ago

    The basic reason that I have never used the ShowIP Address add-on is that I have the FlagFox add-on which will also show the IP address of websites if you point to the small flag in the address bar.As far as I know,this add-on doesn't send any information to 3rd party sites.

    • Robert W. · 719 days ago

      Sounds like an alternative worth investigating and using if it's OK without any
      malicious or privacy compromising behavior.

  7. I use FlagFox as well. It is WAY more useful than ShowIP and similar tools because it gives you not only the IP, hostname but also the country flag plus a whole range of (customizable) menu actions.

    It uses an internal database to look up the flags for IP's.

    More important, it gets the IP's from the Firefox DNS cache, showing there is ABSOLUTELY NO NEED to send out this information to a remote server -- and even if there were, it still should never be needed to send out the FULL URL, only the domain name.

    This is no accident...

  8. Lisa Brown · 718 days ago

    I noticed this when it updated. You could see all the entries via Messages in the Error Console. It also slowed Firefox to a crawl, making it unresponsive. I removed it as soon as I noticed what it was doing. Definitely not okay. Sad because I've used this for a long time and miss having the ip of the site I'm viewing so handy.

  9. Internaut · 718 days ago

    As Johan said, "This is no accident..." More and more honest computer users are having to find ways of defending their information from all sorts of Internet scum.

    It makes me wonder, if a hacker can do something so simple as in the ShowIp add-on, and Google can collect personal information, including passwords, email addresses and so on so easily, what is preventing the governments from keeping tabs on everyone? The governments have a bottomless pit of cash and can afford the best systems, and operators. Should I believe they would never do such a thing?

    I run a program that monitors every incoming request and lists where, what ISP, and whom it is coming from. I'm no longer amazed at the number of companies wanting to peek at what I'm doing, it is a minute by minute ongoing war keeping them out.

    To George Orwell - we've arrived buddy - we here.

  10. Nigel · 718 days ago

    This is an unconscionable lapse by Mozilla.

    MoFo (Moz Foundation) has been going downhill for a long time...pretty much since they dumped the Mozilla Suite and went "pop" with Firefox and Thunderbird, neither of which delivers on the promise that they would have the same "play nice with each other" functionality that the Moz Suite had...and, fortunately, that the SeaMonkey suite still has.

    Perhaps more fortunately, SeaMonkey is an independent product, not controlled by MoFo. That's all to the good, because the MoFo people appear to have lost their way, and perhaps have been poisoned by success. What a shame.

  11. LoriGard · 717 days ago

    Including a solution to the ShowIP problem would have been useful for the naive user. So, how do I find it and how do I get rid of it? (It doesn't show up in system or FireFox search results.)

  12. Lisa Brown · 716 days ago

    Lori, it's an add-on, if you didn't explicitly install it, you won't have it. It's not a part of Firefox. To see what add-ons you have, click Tools > Add-ons in the Firefox menu.

  13. puddlesmcdermit · 464 days ago

    the current version on Mozilla's add-on page still calls to api.ip2info.org on every page visit. (Firefox 18, Windows 7)

  14. Roby · 438 days ago

    I had last ver of Hide Ip and I downgrade to v.1.0, but after few days the ip2info.com cookie appeared again. :/

    I 've sent an appeal to ghostery.com to add the item to the blok list :)

  15. Serdar Apaydın · 102 days ago

    And I was wondering why I was receiving emails from related websites I was visiting. Thanks showip. Here is your product back. Take it.

  16. Matt · 60 days ago

    Might be interested t know that this extension now does advert hijacking (inserting adverts into the webpages you view) - definitely not a good extension!

  17. Before three days, developers of ShowIP added adware to it...
    I reported that plugin to Mozilla.

  18. Anonymous · 58 days ago

    Got here looking for information about unknown scripts (blocked by NoScript) suddenly appearing from ip2info.org - on every page including from localhost. Based on information here, have deleted the extension; no more extra scripts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.