Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hijacking Firefox Via Insecure Add-Ons

Posted by kdawson on from the update-me-please dept.

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

4 of 87 comments (clear)

  1. trackpad by jovius · · Score: -1, Offtopic

    I didn't understand much of what actually took place, but i noticed the author of the video used trackpad instead of a mouse.. it's evident from the cursor's pointy moving pattern.

  2. Now they're hijacking Firefox?! by FlyingSquidStudios · · Score: -1, Offtopic

    Someone get Larry Niven and Jerry Pournelle on the case!

    --
    http://twitter.com/OLDTELEGRAM
  3. Fr1st psot? by Anonymous Coward · · Score: -1, Offtopic

    It a breaK, if

  4. mod 04 by Anonymous Coward · · Score: -1, Offtopic

    been many, not the as those non gay, obtain a copy of and arms an`d dick rules are This previously thought liitle-known Due to the troubles