Slashdot Mirror


Hijacking Firefox Via Insecure Add-Ons

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

4 of 87 comments (clear)

  1. Goatse! by Anonymous Coward · · Score: -1, Troll
  2. YOU UNLEASHED MY FUCKIN' FURY! by Anonymous Coward · · Score: -1, Troll

    U unleashed my fuckin fury! don't push it! don't post firefox hack tips!!!!

  3. nGoBat by Anonymous Coward · · Score: -1, Troll

    si6nificantly prospects are very

  4. Secure add-ons by Anonymous Coward · · Score: -1, Troll

    Get your Secure Firefox add-on here.