Skip to main content

WOT's Firefox add-on disabled based on user data concerns

firefox 58 may be first major browser to block canvas fingerprinting mac screen desk header
Image used with permission by copyright holder
The Web of Trust (WOT) service add-on aims to make browsing safer by monitoring the sites that users visit and warning when they run into a variety of danger such as scams, malware, and rogue web stores. WOT offers browser extensions and mobile apps that are intended to provide a “simple and safe browsing experience.”

However, Mozilla’s Firefox browser is apparently disabling the WOT add-on and marking it as suspicious based on concerns over the protection of user data. Apparently, WOT was previously identified as a problem add-on and removed from the list of available add-ons, and now those users who still have WOT installed in Firefox are no longer able to use it, as Graham Cluley Associates reports.

WOT is a crowdsourced solution service that analyzes the ratings of over 140 million users to determine when a web page might include unsafe content or links. With WOT installed, a traffic light icon  is used to indicate whether a current page is safe or unsafe, with a green light meaning that users have rated the site as safe, yellow if caution is advised, and red if potential threats have been identified.

According to reports in 2016, WOT gathers information on user browsing activities, including the date, time, location, and URL of pages visited. A user ID is associated with that data that WOT asserts is anonymous, but German broadcaster Norddeutscher Rundfunk (NDR) reporters were able to parse the data and pull out user-identifying information such as email addresses and names for at least 50 unique users.

On November 1, 2016, Mozilla was notified and, based on further research by Rob Wu, the WOT add-on was removed as a downloadable option. Users who still had the add-on installed and running were able to continue using it until January 25, 2017, when Mozilla apparently disabled WOT in Firefox.

Graham Cluley Associates
Graham Cluley Associates

News of Mozilla’s actions first popped up on WOT’s support forums, with a number of users complaining that the add-on no longer functions. The user receives a notification on trying to run the WOT add-on stating that “Versions 20170120 and lower of the Web of Trust add-on send excessive user data to its service, which has been reportedly shared with third parties without sufficient sanitization. These versions are also affected by a vulnerability that could lead to unwanted remote code execution.”

WOT has confirmed that it’s working to patch a remote code execution bug that exists with the tool, but there’s no word yet on whether WOT will fix the “deanonymizing” problem that led to the add-on being removed. Anyone who has the add-on installed should likely consider uninstalling it and waiting to see if WOT addresses Mozilla’s concerns.

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more