Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.
The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.
Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.
"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.
Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.
A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.
The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.
So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.
But doesn't mention Nvidia by name...
PAC slams lackadaisical NHS security as IT security measures are ignored
Visibility, automation and accountability are essential
Developed to enhance real-time biometrics for US Army's night-time operations