Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hijacking Firefox Via Insecure Add-Ons

Posted by kdawson on from the update-me-please dept.

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

3 of 87 comments (clear)

  1. Addons from addons.mozilla.org not vulnerable by CTho9305 · · Score: 5, Informative

    The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org/ - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

    Since it's not mentioned in the summary, it's important to reiterate that this takes advantage of non-secure update mechanisms used by some addons. The addons.mozilla.org site will only host extensions that update from addons.mozilla.org through the built-in mechanism, which is not vulnerable to this attack. This is an extension-specific issue, and would most likely apply to any sort of addon for any software that doesn't verify security certificates.

    --
    My server
  2. Is it viable? by Xtense · · Score: 5, Insightful

    So ok, it is possible to do such an attack, but... is it viable enough as an attack vector? I mean, the attacker would have to sit 24/7 near an unsecure hotspot and/or an unsecure network to wait for a potential victim, and, as we know, firefox users aren't the majority, so this further narrows down the possibility of a successful attack. That's enough to call it improbable i think. Of course, since such an attack is possible, that can mean something, but, please, would anyone sit around coffee shops all day just to infect one person with spyware, when he could just, I dunno, send viruses or trojans through mail to computer illiterate people?

    --
    "We are the music makers, and we are the dreamers of dreams [...]."
  3. Sign your addons, please.. by QuantumG · · Score: 5, Informative

    How to sign a Firefox Extension by Frederic Mercille.

    It's not hard (for anyone who can make an add-on).

    --
    How we know is more important than what we know.