Could a malware extension have accessed to my firefox saved passwords?
I accidentally allowed access to a website (one with an obviously fake mozilla firefox update that popped up and whose messages were really annoying) to install software on my computer (I'm running Kubuntu 17.10). It looked like an add-on installation to me. It downloaded something and right after another dialog popped up asking for permissions so that "FF helper tool" ( that's the name of the fishy software) could access all my web data. I chose no every time. I say every time because after the first mistake I wanted to gather more information about the malware so I did it again. Maybe this was a dumb move, but I thought that since I allowed it once it'd not make any difference at that point. But again, every time I clicked on "no/cancel" when it asked me for permission to access (the second step after downloading the file).
Now I'm concerned I dumbly exposed my information to a fishy website. I could post here the link but I read it is against the rules.
I'd appreciate any feedback about this.
Thank you very much.
Chosen solution
This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page.
This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst.
Extension install:
- http://helpertoolext.com/
Domain registered Dec. 12, 2017 to [anonymous]
manifest.json:
- Updates from: "https://helpertoolff.com/
Domain registered Dec. 12, 2017 to [anonymous]
Content script:
- Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
Last modified: Thursday, December 14, 2017, 5:23:52 AM - Communicates (something) with: glganltcs.space
Domain registered May 8, 2017 to [anonymous]
Background script:
- Communicates (something) with searchfwp.com
Domain registered Dec. 12, 2017 to [anonymous] - Embeds iframe from devappgrant.space
Domain registered July 21, 2017 to [anonymous]
All Replies (7)
Okay, it sounds as though the installation is pending and you can remove the extension from the Add-ons page. Either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
- type or paste about:addons in the address bar and press Enter/Return
In the left column of the Add-ons page, click Extensions. Then find the unwanted exension on the right side and Remove.
As for what it could do, that's difficult to say. I don't know if any extensions can access saved logins at this time unless you also install a separate "native application" which is required to have arbitrary access to your computer's file system.
But... extensions with full access to your website data could in theory spy on or scrape data from your web usage and exfiltrate it, so even without access to local files or saved logins in Firefox, an untrustworthy extension is a problem.
Thanks for the reply!
It feels safe to know that it is not easy to access saved logins in firefox.
Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file.
Since it might help and it is not a direct link. I attach a screenshot of the "suggestion" from the website. What I basically did was clicking on "allow" in the first step but always "Cancel" in the second one. The software name is the only difference, called "FF helper tool" in my case.
gefeba said
Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file.
It was an extension. Hopefully canceling on the permissions panel removed the extension permanently. Do you want to send me a message with the site address? If you click my username next to a post that will lead to a page with a link to send a message.
Chosen Solution
This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page.
This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst.
Extension install:
- http://helpertoolext.com/
Domain registered Dec. 12, 2017 to [anonymous]
manifest.json:
- Updates from: "https://helpertoolff.com/
Domain registered Dec. 12, 2017 to [anonymous]
Content script:
- Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
Last modified: Thursday, December 14, 2017, 5:23:52 AM - Communicates (something) with: glganltcs.space
Domain registered May 8, 2017 to [anonymous]
Background script:
- Communicates (something) with searchfwp.com
Domain registered Dec. 12, 2017 to [anonymous] - Embeds iframe from devappgrant.space
Domain registered July 21, 2017 to [anonymous]
"FF Antifirus" ???
The official abbreviation for Firefox is Fx and not FF and Mozilla would not have used a word like Antifirus as it seems to be a typo or word play on Antivirus.
The Firefox browser does not have an antivirus client nor does Mozilla make one.
jscher2000 said
This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page. This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst. Extension install:manifest.json:
- http://helpertoolext.com/
Domain registered Dec. 12, 2017 to [anonymous]Content script:
- Updates from: "https://helpertoolff.com/
Domain registered Dec. 12, 2017 to [anonymous]Background script:
- Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
Last modified: Thursday, December 14, 2017, 5:23:52 AM- Communicates (something) with: glganltcs.space
Domain registered May 8, 2017 to [anonymous]
- Communicates (something) with searchfwp.com
Domain registered Dec. 12, 2017 to [anonymous]- Embeds iframe from devappgrant.space
Domain registered July 21, 2017 to [anonymous]
If that is the case, I think I can conclude this add-on was never completely installed and my machine (including firefox) should be safe.
Thanks a lot for your support!