How the Mozilla Sniffer Backdoor Was Discovered

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

Re:Informative article

[renrutal]

From TFA:

An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Re:Native features in browser

[bsDaemon]

No, I've seen it. I used to have a pretty decent email pen-pal thing going on with Ken about 10 years ago. He's a pretty cool dude. The point is, yes, even if you see the code, unless you have the code to the compiler and build it yourself, then you can't trust the binary. Basically, you can't trust anything you don't create from scratch. There could also be back-doors in ROM in the hardware. Which is why I go on to say how even if you do your own audit you can't actually trust anything. Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view that it doesn't even matter what you're auditing.