Sophos Cloud Optix
A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.
Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.
According to the description on the Mozilla add-ons website, ShowIP is designed to “show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc. Additionally you can copy the IP address to the clipboard.”
Currently over 170,000 people are said to be using ShowIP.
What the add-on’s description doesn’t say is that since version 1.3 (released on April 19th 2012) it has also sent – unencrypted – the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.
The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.
SophosLabs researcher Xiaochuan Zhang examined the add-on, and observed the potential privacy breach in action. In the following example, he used Wireshark to view the network packets being sent and observed his request to visit a non-existent website “www.thisisapparentlyafakeservice.me” being shared with ip2info.org.
The full URL of every webpage visited is sent to the Germany-based ip2info.org website, using unencrypted connections.
In addition, the add-on has no warning that sites you visit might be disclosed, no privacy policy small print explaining its behaviour, and no apparent way to opt-out of the data-sharing.
Sanders told Naked Security that the issue was reported on the add-on’s Google Code project page on 22nd April, but has received no response. Despite the alert, version 1.4 of the ShowIP add-on has since been released – and still exhibits the same behaviour.
Sanders said that he hoped the apparent privacy lapse was the case of naivety rather than a developer with more malicious intentions:
"I suspect it's the work of a very naive developer, but who knows nowadays. What bothers me most is how this code managed to get approved on the Mozilla Addons site (not once, but twice) and how it's still there 12 days later."
The ip2info.org website itself appears to be very new, having only been registered a month ago.
And who appears to have registered the domain? A Berlin-based link marketing firm.
Hmm.
We have asked the developers of ShowIP to comment on the apparent privacy issue, and will update this article with any response we receive.
Update: Mozilla has rolled the version of ShowIP they make available on their add-on site back to 1.0. They say they are working with the developer on correcting the issue. Hopefully in future their review process will flag privacy issues like this one to prevent users’ data being potentially exposed.
Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article, and to Rob Sanders for the original tip.
I think it's DISGUSTING that this happened…makes one wonder how many other addons are going to leak similar information to 3rd parties…makes me wonder if anyone should ever use firefox again …
Wrong. They should just not use add-ons, either Firefox or Chrome.
Just checked the website and it’s an ip lookup site much like the add-on. Maybe it gets data from there.
If you read the article it said it was sending the information there, not receiving it. Plus you don't need an addon of any sort to find the ip of any website, just open your command prompt and type ping <webaddress> and you'll get all the same info that that addon gives you.
Herd of convenience?
Hats On and its creator efamous are fly-by-night owner operated shams. The registrant address in Hofheim is too small to swing a cat.
I assume the Berlin address is a mail drop.
The phone number in the domain registration is for a pre-paid mobile from generics retailer ALDI.
Nice going, more details exposed about this nefarious activity and persons
behind it. Keep it coming!
There is a place to "report abuse" on the right side of the Firefox addon page underneath "write review". Feel free to do that.
https://addons.mozilla.org/en-US/firefox/addon/sh…
Looks like Mozilla has rolled it back to version 1.0 from May 31, 2011.
I use Firefox but have never used this add-on, & never will after this article.
The basic reason that I have never used the ShowIP Address add-on is that I have the FlagFox add-on which will also show the IP address of websites if you point to the small flag in the address bar.As far as I know,this add-on doesn't send any information to 3rd party sites.
Sounds like an alternative worth investigating and using if it's OK without any
malicious or privacy compromising behavior.
I use FlagFox as well. It is WAY more useful than ShowIP and similar tools because it gives you not only the IP, hostname but also the country flag plus a whole range of (customizable) menu actions.
It uses an internal database to look up the flags for IP’s.
More important, it gets the IP’s from the Firefox DNS cache, showing there is ABSOLUTELY NO NEED to send out this information to a remote server — and even if there were, it still should never be needed to send out the FULL URL, only the domain name.
This is no accident…
I noticed this when it updated. You could see all the entries via Messages in the Error Console. It also slowed Firefox to a crawl, making it unresponsive. I removed it as soon as I noticed what it was doing. Definitely not okay. Sad because I've used this for a long time and miss having the ip of the site I'm viewing so handy.
As Johan said, “This is no accident…” More and more honest computer users are having to find ways of defending their information from all sorts of Internet scum.
It makes me wonder, if a hacker can do something so simple as in the ShowIp add-on, and Google can collect personal information, including passwords, email addresses and so on so easily, what is preventing the governments from keeping tabs on everyone? The governments have a bottomless pit of cash and can afford the best systems, and operators. Should I believe they would never do such a thing?
I run a program that monitors every incoming request and lists where, what ISP, and whom it is coming from. I’m no longer amazed at the number of companies wanting to peek at what I’m doing, it is a minute by minute ongoing war keeping them out.
To George Orwell – we’ve arrived buddy – we here.
This is an unconscionable lapse by Mozilla.
MoFo (Moz Foundation) has been going downhill for a long time…pretty much since they dumped the Mozilla Suite and went "pop" with Firefox and Thunderbird, neither of which delivers on the promise that they would have the same "play nice with each other" functionality that the Moz Suite had…and, fortunately, that the SeaMonkey suite still has.
Perhaps more fortunately, SeaMonkey is an independent product, not controlled by MoFo. That's all to the good, because the MoFo people appear to have lost their way, and perhaps have been poisoned by success. What a shame.
Including a solution to the ShowIP problem would have been useful for the naive user. So, how do I find it and how do I get rid of it? (It doesn't show up in system or FireFox search results.)
Lori, it's an add-on, if you didn't explicitly install it, you won't have it. It's not a part of Firefox. To see what add-ons you have, click Tools > Add-ons in the Firefox menu.
the current version on Mozilla's add-on page still calls to api.ip2info.org on every page visit. (Firefox 18, Windows 7)
I had last ver of Hide Ip and I downgrade to v.1.0, but after few days the ip2info.com cookie appeared again. :/
I ‘ve sent an appeal to ghostery.com to add the item to the blok list 🙂
* oops sorry I mean Show Ip 🙂
And I was wondering why I was receiving emails from related websites I was visiting. Thanks showip. Here is your product back. Take it.
Might be interested t know that this extension now does advert hijacking (inserting adverts into the webpages you view) – definitely not a good extension!
Before three days, developers of ShowIP added adware to it…
I reported that plugin to Mozilla.
Got here looking for information about unknown scripts (blocked by NoScript) suddenly appearing from ip2info.org – on every page including from localhost. Based on information here, have deleted the extension; no more extra scripts.
Just uninstalled ShowIP as it was generating persistent adware/pop-ups on certain sites. Finding out that it’s potentially “leaking” sensitive data is icing on the cake! VERY disappointing that this was available/approved on Mozilla. 🙁