X
Tap here to go to the mobile version of the site.

Support Forum

Could a malware extension have accessed to my firefox saved passwords?

Posted

I accidentally allowed access to a website (one with an obviously fake mozilla firefox update that popped up and whose messages were really annoying) to install software on my computer (I'm running Kubuntu 17.10). It looked like an add-on installation to me. It downloaded something and right after another dialog popped up asking for permissions so that "FF helper tool" ( that's the name of the fishy software) could access all my web data. I chose no every time. I say every time because after the first mistake I wanted to gather more information about the malware so I did it again. Maybe this was a dumb move, but I thought that since I allowed it once it'd not make any difference at that point. But again, every time I clicked on "no/cancel" when it asked me for permission to access (the second step after downloading the file).

Now I'm concerned I dumbly exposed my information to a fishy website. I could post here the link but I read it is against the rules.

I'd appreciate any feedback about this.

Thank you very much.

I accidentally allowed access to a website (one with an obviously fake mozilla firefox update that popped up and whose messages were really annoying) to install software on my computer (I'm running Kubuntu 17.10). It looked like an add-on installation to me. It downloaded something and right after another dialog popped up asking for permissions so that "FF helper tool" ( that's the name of the fishy software) could access all my web data. I chose no every time. I say every time because after the first mistake I wanted to gather more information about the malware so I did it again. Maybe this was a dumb move, but I thought that since I allowed it once it'd not make any difference at that point. But again, every time I clicked on "no/cancel" when it asked me for permission to access (the second step after downloading the file). Now I'm concerned I dumbly exposed my information to a fishy website. I could post here the link but I read it is against the rules. I'd appreciate any feedback about this. Thank you very much.

Chosen solution

This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page.

This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst.

Extension install:

  • http://helpertoolext.com/
    Domain registered Dec. 12, 2017 to [anonymous]

manifest.json:

  • Updates from: "https://helpertoolff.com/
    Domain registered Dec. 12, 2017 to [anonymous]

Content script:

  • Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
    Last modified: Thursday, December 14, 2017, 5:23:52 AM
  • Communicates (something) with: glganltcs.space
    Domain registered May 8, 2017 to [anonymous]

Background script:

  • Communicates (something) with searchfwp.com
    Domain registered Dec. 12, 2017 to [anonymous]
  • Embeds iframe from devappgrant.space
    Domain registered July 21, 2017 to [anonymous]
Read this answer in context 1

Additional System Details

Installed Plug-ins

  • Shockwave Flash 27.0 r0

Application

  • User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

More Information

jscher2000
  • Top 10 Contributor
7373 solutions 60075 answers

Helpful Reply

Okay, it sounds as though the installation is pending and you can remove the extension from the Add-ons page. Either:

  • Ctrl+Shift+a (Mac: Command+Shift+a)
  • "3-bar" menu button (or Tools menu) > Add-ons
  • type or paste about:addons in the address bar and press Enter/Return

In the left column of the Add-ons page, click Extensions. Then find the unwanted exension on the right side and Remove.

As for what it could do, that's difficult to say. I don't know if any extensions can access saved logins at this time unless you also install a separate "native application" which is required to have arbitrary access to your computer's file system.

Okay, it sounds as though the installation is pending and you can remove the extension from the Add-ons page. Either: * Ctrl+Shift+a (Mac: Command+Shift+a) * "3-bar" menu button (or Tools menu) > Add-ons * type or paste '''about:addons''' in the address bar and press Enter/Return In the left column of the Add-ons page, click Extensions. Then find the unwanted exension on the right side and Remove. As for what it could do, that's difficult to say. I don't know if any extensions can access saved logins at this time unless you also install a separate "native application" which is required to have arbitrary access to your computer's file system.
jscher2000
  • Top 10 Contributor
7373 solutions 60075 answers

Helpful Reply

But... extensions with full access to your website data could in theory spy on or scrape data from your web usage and exfiltrate it, so even without access to local files or saved logins in Firefox, an untrustworthy extension is a problem.

But... extensions with full access to your website data could in theory spy on or scrape data from your web usage and exfiltrate it, so even without access to local files or saved logins in Firefox, an untrustworthy extension is a problem.

Question owner

Thanks for the reply!

It feels safe to know that it is not easy to access saved logins in firefox.

Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file.

Since it might help and it is not a direct link. I attach a screenshot of the "suggestion" from the website. What I basically did was clicking on "allow" in the first step but always "Cancel" in the second one. The software name is the only difference, called "FF helper tool" in my case.

Thanks for the reply! It feels safe to know that it is not easy to access saved logins in firefox. Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file. Since it might help and it is not a direct link. I attach a screenshot of the "suggestion" from the website. What I basically did was clicking on "allow" in the first step but always "Cancel" in the second one. The software name is the only difference, called "FF helper tool" in my case.
jscher2000
  • Top 10 Contributor
7373 solutions 60075 answers

gefeba said

Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file.

It was an extension. Hopefully canceling on the permissions panel removed the extension permanently. Do you want to send me a message with the site address? If you click my username next to a post that will lead to a page with a link to send a message.

''gefeba [[#answer-1051766|said]]'' <blockquote> Regarding your suggestion, there's nothing pending to be installed in the add-ons section. That's why I'm not 100% it was an add-on. But what else could it be? It definitely downloaded something. Maybe since I did not grant access during the second step it did not install anything but just downloaded the installation file. </blockquote> It was an extension. Hopefully canceling on the permissions panel removed the extension permanently. Do you want to send me a message with the site address? If you click my username next to a post that will lead to a page with a link to send a message.
jscher2000
  • Top 10 Contributor
7373 solutions 60075 answers

Chosen Solution

This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page.

This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst.

Extension install:

  • http://helpertoolext.com/
    Domain registered Dec. 12, 2017 to [anonymous]

manifest.json:

  • Updates from: "https://helpertoolff.com/
    Domain registered Dec. 12, 2017 to [anonymous]

Content script:

  • Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
    Last modified: Thursday, December 14, 2017, 5:23:52 AM
  • Communicates (something) with: glganltcs.space
    Domain registered May 8, 2017 to [anonymous]

Background script:

  • Communicates (something) with searchfwp.com
    Domain registered Dec. 12, 2017 to [anonymous]
  • Embeds iframe from devappgrant.space
    Domain registered July 21, 2017 to [anonymous]
This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page. This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst. Extension install: * http://helpertoolext''.''com/<br>Domain registered Dec. 12, 2017 to [anonymous] manifest.json: * Updates from: "https://helpertoolff''.''com/<br>Domain registered Dec. 12, 2017 to [anonymous] Content script: * Embeds: https://s3.amazonaws''.''com/js-cache/16ab1c6ba6526da614.js<br>Last modified: Thursday, December 14, 2017, 5:23:52 AM * Communicates (something) with: glganltcs''.''space<br>Domain registered May 8, 2017 to [anonymous] Background script: * Communicates (something) with searchfwp''.''com<br>Domain registered Dec. 12, 2017 to [anonymous] * Embeds iframe from devappgrant''.''space<br>Domain registered July 21, 2017 to [anonymous]
James
  • Top 10 Contributor
  • Moderator
1418 solutions 9840 answers

"FF Antifirus" ???

The official abbreviation for Firefox is Fx and not FF and Mozilla would not have used a word like Antifirus as it seems to be a typo or word play on Antivirus.

The Firefox browser does not have an antivirus client nor does Mozilla make one.

"FF Antifirus" ??? The official abbreviation for Firefox is [https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-US/firefox/releases/1.0.html Fx] and not FF and Mozilla would not have used a word like Antifirus as it seems to be a typo or word play on Antivirus. The Firefox browser does not have an antivirus client nor does Mozilla make one.

Question owner

jscher2000 said

This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page. This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst. Extension install:
  • http://helpertoolext.com/
    Domain registered Dec. 12, 2017 to [anonymous]
manifest.json:
  • Updates from: "https://helpertoolff.com/
    Domain registered Dec. 12, 2017 to [anonymous]
Content script:
  • Embeds: https://s3.amazonaws.com/js-cache/16ab1c6ba6526da614.js
    Last modified: Thursday, December 14, 2017, 5:23:52 AM
  • Communicates (something) with: glganltcs.space
    Domain registered May 8, 2017 to [anonymous]
Background script:
  • Communicates (something) with searchfwp.com
    Domain registered Dec. 12, 2017 to [anonymous]
  • Embeds iframe from devappgrant.space
    Domain registered July 21, 2017 to [anonymous]

If that is the case, I think I can conclude this add-on was never completely installed and my machine (including firefox) should be safe.

Thanks a lot for your support!

''jscher2000 [[#answer-1051811|said]]'' <blockquote> This extension blocks the Add-ons page to prevent users from removing it. (You can start up in Firefox's Safe Mode to remove it in that case.) So you must not have enabled it or you wouldn't have been able to access the Add-ons page. This extension runs on every page. There are numerous anonymously registered domains associated with this add-on. I can't tell what all it does, but I have to assume the worst. Extension install: * http://helpertoolext''.''com/<br>Domain registered Dec. 12, 2017 to [anonymous] manifest.json: * Updates from: "https://helpertoolff''.''com/<br>Domain registered Dec. 12, 2017 to [anonymous] Content script: * Embeds: https://s3.amazonaws''.''com/js-cache/16ab1c6ba6526da614.js<br>Last modified: Thursday, December 14, 2017, 5:23:52 AM * Communicates (something) with: glganltcs''.''space<br>Domain registered May 8, 2017 to [anonymous] Background script: * Communicates (something) with searchfwp''.''com<br>Domain registered Dec. 12, 2017 to [anonymous] * Embeds iframe from devappgrant''.''space<br>Domain registered July 21, 2017 to [anonymous] </blockquote> If that is the case, I think I can conclude this add-on was never completely installed and my machine (including firefox) should be safe. Thanks a lot for your support!