Mozilla is rolling back the ShowIP add-on to version 1.0 for its Firefox browser because the new version sends the URLs of visited web pages to a web service called ip2info.org in unencrypted form.
The browser extension doesn’t restrict this behavior to the normal browsing mode, it also transmits URLs accessed via HTTPS and any sites visited while in “Private Browsing” mode, according to Sophos’s Graham Cluley.
ShowIP displays the IP addresses (IPv4/IPv6) of the current web page in the browser’s status bar and gives access to querying services such as whois and Netcraft. The extension is popular with network administrators and developers. Nearly 170,000 Firefox users installed the add-on, Mozilla said.
Researchers first found the described behavior in version 1.3 of the GPLv2-licensed add-on, published on April 19, and remains in newer releases. Users complained about the privacy violation on Mozilla’s add-on page – the ShowIP Dev Team, the developer of the add-on, responded by explaining the add-on sends the URL to the server “to access the ip2location database” and promising HTTPS will add in as soon as possible.
According to its WhoIs entry, the “Hats on Marketing UG” marketing and SEO agency, a subsidiary of efamous GmbH owns the ip2info.org service. The company took over the development of the add-on from the original developer, Jan Dittmer.
Mozilla rolled back the available version of ShowIP on the Mozilla Add-ons site to version 1.0 and said it is working with the developer to address the issues.