A Firefox add-on that gives users the ability to collect information on the IP address, server hostname and other related data for websites they visit also has the added bonus feature of reporting the same information on every site visited to a third-party server, SophosLabs reports. The ShowIP add-on exposes the full Web-browsing history of its users to the add-on’s back-end service—and anyone who can intercept the unencrypted packets.
Sophos’ Graham Cluely writes that he was alerted to the problem by a reader, who found a recent update to the ShowIP add-on sends the full URL of sites visited in unencrypted form—including those visited using HTTP Secure and in “private browsing” mode—to a Web server at api.ip2info.org, without alerting the user. The behavior is a potential privacy threat to users of the service, because the data leaked by the add-on could be used by anyone sharing the network they are on to reconstruct their Internet browsing history.
The issue has been reported on the add-on’s Google Code project page, but there has been no response.