[Owasp-board] Trojaned FF Add-on - the final word

Jeff Williams jeff.williams at owasp.org
Wed Jul 21 19:09:48 UTC 2010

I don't think a planet approach will solve this problem. Aggregation is
easy, but weeding out the wheat from the chaff is difficult.  I'm happy to
continue doing this since it's quite automated and doesn't add much time to
my normal news reading process.  If anyone wants to help, let me know and
I'll add your shared feed.


-----Original Message-----
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
Sent: Tuesday, July 20, 2010 1:56 PM
To: OWASP Foundation Board List
Subject: [Owasp-board] Trojaned FF Add-on - the final word

FYI:  Confirmation from the source who found the backdoored Firefox 
Add-on.  It is as we suspected, not part of an official OWASP thing but 
interestingly enough because it came from the OWASP RSS aggregation, the 
perception was initially that it was OWASP endorsed.

Time for a planet.owasp.org?

-------- Original Message --------
Subject: Contact / Web Form
Date: Mon, 19 Jul 2010 08:23:03 +0200
From: Johann-Peter Hartmann <hartmann at mayflower.de>
To: matt.tesauro at owasp.org


> I saw your review and the various news stories about the Mozilla
> Sniffer Add-on.  As a member of the OWASP Foundation Board, I'm
> curious where you got this collection from.  I don't believe its an
> official OWASP project so I'd like to look further into the situation.
  > Since I'm finding multiple collections using the OWASP name, I'd
> appreciate your assistance pointing me at the collection where you
> found the trojaned Add-on.

You are perfectly right, this Add-on wasn't part of any official OWASP
security add-on collection.

I just got this wrong because i got the link to it from the owasp.org

It was there due to this blog article:
that got aggregated in the RSS feed area.

Please see

for further information about this collection.

It is correct that i first misunderstood that this Add-on was part of an
official owasp-collection, but the mozilla guys pointed this out very fast.

Sorry if i caused you any trouble, i always have been a fan of the owasp
activities and did not mean to.

Best regards,


Owasp-board mailing list
Owasp-board at lists.owasp.org

More information about the Owasp-board mailing list