The Web of Trust (WOT) service add-on aims to make browsing safer by monitoring the sites that users visit and warning when they run into a variety of danger such as scams, malware, and rogue web stores. WOT offers browser extensions and mobile apps that are intended to provide a “simple and safe browsing experience.”
However, Mozilla’s Firefox browser is apparently disabling the WOT add-on and marking it as suspicious based on concerns over the protection of user data. Apparently, WOT was previously identified as a problem add-on and removed from the list of available add-ons, and now those users who still have WOT installed in Firefox are no longer able to use it, as Graham Cluley Associates reports.
WOT is a crowdsourced solution service that analyzes the ratings of over 140 million users to determine when a web page might include unsafe content or links. With WOT installed, a traffic light icon is used to indicate whether a current page is safe or unsafe, with a green light meaning that users have rated the site as safe, yellow if caution is advised, and red if potential threats have been identified.
According to reports in 2016, WOT gathers information on user browsing activities, including the date, time, location, and URL of pages visited. A user ID is associated with that data that WOT asserts is anonymous, but German broadcaster Norddeutscher Rundfunk (NDR) reporters were able to parse the data and pull out user-identifying information such as email addresses and names for at least 50 unique users.
On November 1, 2016, Mozilla was notified and, based on further research by Rob Wu, the WOT add-on was removed as a downloadable option. Users who still had the add-on installed and running were able to continue using it until January 25, 2017, when Mozilla apparently disabled WOT in Firefox.
News of Mozilla’s actions first popped up on WOT’s support forums, with a number of users complaining that the add-on no longer functions. The user receives a notification on trying to run the WOT add-on stating that “Versions 20170120 and lower of the Web of Trust add-on send excessive user data to its service, which has been reportedly shared with third parties without sufficient sanitization. These versions are also affected by a vulnerability that could lead to unwanted remote code execution.”
WOT has confirmed that it’s working to patch a remote code execution bug that exists with the tool, but there’s no word yet on whether WOT will fix the “deanonymizing” problem that led to the add-on being removed. Anyone who has the add-on installed should likely consider uninstalling it and waiting to see if WOT addresses Mozilla’s concerns.