Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Firefox Add-Ons Open Millions To New Attack (slashgear.com)

Posted by msmash on from the rogue-addon dept.

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."

54 comments

  1. The sky isn't falling, yet. by Anonymous Coward · · Score: 1

    According to the article you still need a malicious addon installed to exploit this. At which point you're boned anyway.

    1. Re:The sky isn't falling, yet. by Anonymous Coward · · Score: 0

      Very true. Install only signed addons. Done.

    2. Re:The sky isn't falling, yet. by Anonymous Coward · · Score: 0

      Doubly true as no one uses Firefox anymore.

  2. This article is alarmist rubbish. by Anonymous Coward · · Score: 5, Informative

    What a pile of crap. Heck, NoScript's author outlined it far more eloquently that I ever could: https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/

    1. Re:This article is alarmist rubbish. by inode_buddha · · Score: 5, Informative

      Clickable links get more traffic around here. Re-posting the link for you from my login acct because logins tend to have more cred.

      --
      C|N>K
    2. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      Of course it's alarmist rubbish, take a look at the site it's linking to.

      Slashdot; "news we stole from ArsTechnica a week back, articles written by our holding companies."

    3. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      It's Arstechnica, what did you expect?

    4. Re:This article is alarmist rubbish. by nmb3000 · · Score: 5, Informative

      This just in: Installing malware is bad for your computer. Film at 11.

      What a pile of crap.

      Agreed. Frankly this just looks like more FUD against browser addons and a lame attempt to justify Mozilla's looming walled garden and continued Chromification approach to Firefox addons. See also: slow death of the personal computer.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    5. Re:This article is alarmist rubbish. by FrankHaynes · · Score: 0

      If Giorgio Maone wrote it, then it's close to gospel. He's a Good Guy.

      --
      slashdot: A failed experiment.
    6. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 1

      Maybe you should first read the full article rather than the news reports about it. The research is not saying that NoScript or any other extensions are purposefully putting users at risk. Rather, it is saying that it is possible to launch attacks that just combine functions from different add ons *automatically* and stay under the radar during the vetting process. It is the Firefox architecture that is the issue, not the add ons. Read before you form an opinion.

    7. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 5, Insightful

      The low level extension mechanism is THE thing that separates FF from other browsers. The only thing left, really. If they eliminate it, there will be no reason left to use FF, and what little market share they have remaining will evaporate.

      On the other hand, it will please their advertiser sponsors, because it will become much harder for a FF user to retain privacy from the data harvesters.

    8. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      Hey, the link point to Jesus' page, so I can trust it!

      CAP === 'evasion'

    9. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      Protip: you shouldn't speak of FUD while trying to spread your own. Even given addon signing, AMO is still nothing like a walled garden, and Mozilla has made that clearer with every concession they've made to signing and such. If nothing else, at least it's amusing that you're trying to spin this anti-Mozilla article as an attempt to upsell hypothetical Mozilla world domination plans.

    10. Re:This article is alarmist rubbish. by gweihir · · Score: 1

      While I agree that this is stupid, overblown FUD, it matters very little. Firefox (and most of Mozilla) is dying due to gross mismanagement and stupidity.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      That is ok. If I ever do have to choose just one add-on it will be NoScript. It adds an immense amount of security being able to selectively allow javascript. A nice side effect is that this currently blocks ads.

    12. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      The good news is that they're not against keeping such low-level capabilities, and are apparently exploring them already. Look up native.js on Bugzilla and Discourse for an example. The problem is that they probably won't get to that stuff for a while, as they're currently trying to hit the lowest-hanging fruit with WebExtensions to show that they're viable for more than just mimicking Chrome extensions. But that phase is steadily progressing, and they don't seem pessimistic about keeping low-level access, just in a different form that doesn't rely on the E10S performance-killing aspects.

    13. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      If they eliminate it

      What makes you think Mozilla is eliminating anything required by "low level" add ons? You should read what an actual extension author thinks about the new API and the progress of its development.

    14. Re:This article is alarmist rubbish. by Anonymous Coward · · Score: 0

      "The low level extension mechanism is THE thing that separates FF from other browsers"

      What separates firefox from other browsers for me is an OS browser made by an independent not for profit organization more than anything else, as long as that is true andI can trust that they are not selling me to third parties, FF is my choice and it should be supported, I want that model to survive.
      If you have any evidence that Mozilla is not doing better than Google/MS... (or any other for profit org you like to add) in that area please share it for my benefit and for others

  3. Older versions of Firefox and good derivatives by Anonymous Coward · · Score: 0

    are going to get the shaft by the 'security upgrade'.and mad deprecation of extensions.

  4. Not the addons' fault by Anonymous Coward · · Score: 0

    You're trying to FUD addons because they aren't sandboxed? Who makes the framework the addons run on?

  5. VP of product by Anonymous Coward · · Score: 0

    "We are evolving both our core product and our extensions platform to build in greater security."

    I have bingo on my business lingo card. What do I get?

    1. Re:VP of product by 93+Escort+Wagon · · Score: 1

      "We are evolving both our core product and our extensions platform to build in greater security."

      The last phrase in that sentence is missing the word "synergistically".

      --
      #DeleteChrome
  6. original story by Anonymous Coward · · Score: 0

    Darren Pauli from The Register broke the story last Monday after attending Black Hat Asia. If someone wants to read his story he can do it here: http://www.theregister.co.uk/2...

  7. "Computers open millions to new attack!" by Anonymous Coward · · Score: 0

    Malware can do malicious stuff. How is this news worthy?

  8. OH NO! THE SKY IS FALLING! by Anonymous Coward · · Score: 0

    Oh my god! Water is wet! Why didn't I listen!?

  9. Pointing fingers. by Anonymous Coward · · Score: 4, Insightful

    So it's the way Firefox sandboxes add-ons?.. the article makes it sound like NoScript & friends are the ones directly opening "millions to new attack.." when it just Firefox. So a malicious add-on has to be approved by Firefox's team and then downloaded by some sorry victim?
    I don't think your average NoScript user is incompetent enough to download and install your "FreeToolbarFreeExtensionFree2016" add-on. I guess it makes a better story to paint NoScript and other vulnerable add-ons as the bad guys instead of Firefox itself.

    1. Re:Pointing fingers. by Anonymous Coward · · Score: 0

      Heh, people got it wrong. We're pointing fingers at those addons that disrupt the web: adblockers and script blockers. These are the things that impact people's ability to consume content the way it was meant: full of obnoxious ads and trackers.

  10. QUICK! STOP USING NOSCRIPT! by Anonymous Coward · · Score: 5, Insightful

    So we can shove the whitelisted ads we extorted money from with AdBlock down your throat!

    That's pretty much what popped into my head the second I saw NoScript mentioned in the lead.

  11. I have seen one of these in action by fhuglegads · · Score: 3, Funny

    I typed into the search bar in FF and it defaulted to Yahoo instead of Google. I uninstalled because I was afraid it might force me to play Dota instead of League of Legends, drink Pepsi instead of Coke and vote from Trump instead of Bernie. Crisis averted!

    1. Re:I have seen one of these in action by WoOS · · Score: 1

      I have seen one of these in action. I typed into the search bar in FF and it defaulted to Yahoo instead of Google.

      Changing the default search provider happens quite often and does not need what this article describes i.e. one plugin using facilities of another. It is also easily correctable by *gasp* clicking on the looking glass icon next to the search bar and choosing your old search provider.

      Please return your nerd card per express e-mail.

    2. Re:I have seen one of these in action by Zontar+The+Mindless · · Score: 1

      Whooooooosh...

      --
      Il n'y a pas de Planet B.
  12. The sky has already fallen by Anonymous Coward · · Score: 0

    Hey Chicken Little, why are you still running firefox after all these years of Chrome kicking its arse?

  13. This is stupid by Anonymous Coward · · Score: 2, Interesting

    Extensions can get the user's passwords, cookies, and history. They can make the browser do whatever they want including, but just as an example, intercept online banking sessions and make transactions in the background. Basically, they do whatever they want and this is by design.

  14. Mozilla reviews addons by hand by Anonymous Coward · · Score: 0

    What crap. Addons hosted on addons.mozilla.org, like NoScript, undergo manual review. I'm not claiming it's perfect but specifically naming NoScript like this shows the authors' claims have no credibility.

  15. Told you MANY times addons/extensions = shit by Anonymous Coward · · Score: 0

    THIS isn't -> APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = FAR more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.

    APK

    P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ

    1. Re:Told you MANY times addons/extensions = shit by Anonymous Coward · · Score: 0

      Bing links are for faggots Andy. Are you a faggot?

    2. Re:Told you MANY times addons/extensions = shit by Zontar+The+Mindless · · Score: 1

      Look, Ma--I can link to Bing, too!

      http://www.bing.com/search?q=A...

      --
      Il n'y a pas de Planet B.
    3. Re:Told you MANY times addons/extensions = shit by Anonymous Coward · · Score: 0

      Attacking the messenger instead of his message proving it totally incorrect shows you can't do it Zontar and that you're ineffective.

    4. Re:Told you MANY times addons/extensions = shit by Anonymous Coward · · Score: 0

      Off topic trolling apk with illogical ad hominem attacks shows he's telling the truth. You're helping him. You're a frustrated advertiser or faulty addon maker. That much is quite clear here. Make your product better instead. Fix it. You'll never make those things more efficient than his and certainly not better by allowing ads through that infect us either. That's the price of being a sell out or being weak in your programmatic abilities against his designs that are simple. "When the solution is simple, God is answering" and his is simple and it works better and you know it. We do.

  16. Everyone quick, stop using NoScript! by Anonymous Coward · · Score: 0

    Signed,

    Janrain.com
    ntv.io
    googleadservices.com

    and of course, the home of the thinly veiled advertisment,

    Slashdot.fucking.org

  17. Add on developer here by rsilvergun · · Score: 4, Interesting

    Not looking forward to re-writing my plugin. I might not bother. It's been a fun project but Mozilla is asking me to do a lot of work without much support (so far anyway). They're gonna yank the XUL UI language without there being good replacements (HTML doesn't work right from an addon context because of the security constraints) and take away overlays (that let me access web content without a major mess of code).

    That said their reasons aren't too bad and have nothing to do with a walled garden. The addon signing is there to give them a kill switch so that if somebody sells their addon to a malware company and it starts spewing adds they can revoke the signature and shut it down. I get a couple offers a year to "buy" my plugin and figured out pretty quick what they were after (my plugin's under the Moz license, so they could fork it or submit patches to mainline if they just wanted to pitch in).

    As for the chromification, that's because they want to make it snappier by doing multi-process. And that means not letting my add on hold up the main thread. Honestly that's the biggest thing holding back my efforts to port to Chrome. It's a nightmare to deal with all the callbacks and such when you can't even hold up the thread for simple things like writing a few bytes of preferences to disk. You don't want to know what I had to do just to get that working... OTOH they're right that it'll make the browser seem snappier. But to be blunt I don't care. I've got an 4 year old A10-5800 and I've yet to be able to do anything in my single threaded Firefox addon that even slows down that old workhorse.

    Oh, and yeah, the article is B.S.. Even in Chrome I can call out to executable files that run with the users permissions (basically root if you're a Windows User). It looked like click bait to me so I didn't RTFA.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Add on developer here by Anonymous Coward · · Score: 1, Interesting

      You really should discuss things with the Mozilla's WebExtension devs, if you haven't. They're at the stage of wanting to know what APIs existing addons will need, so working with them to find out what'll make your life easier in the long run (assuming you're not 100% done with it already) could benefit you more than you'd expect. The NoScript dev isn't the only one who they want to work with to figure these things out, and for every person who helps them at this stage, many other addons can benefit from the work. Whether they're at the right stage to do more than note your request isn't easy to tell, but they're steadily reaching a reasonable parity with Chrome's APIs, and that point they are almost definitely going to be working on extending those APIs more than they currently are (hopefully that will include the XUL replacements beyond just porting over a few widgets to HTML).

    2. Re:Add on developer here by Anonymous Coward · · Score: 1

      mozilla has proven time and time again that THEY DON'T LISTEN. they WILL implement THEIR idea of a new addon api, and we have to live with it. period. "discuss", "talk" whatever, all you want, IT WON'T DO ANY GOOD.

      TFA is nothing but FUD to discredit existing mozilla addon architecture to promote their MUCH LESS capable, less flexible new system.

    3. Re:Add on developer here by Rexdude · · Score: 1

      Please consider making it available for Pale Moon, an independently developed fork of Firefox that plans to retain XUL and everything else that made proper extensions possible. I'm not affiliated with them in any way, but I use it regularly and it is quite fast, provides a native 64-bit build and is less of a memory hog than FF.

      --
      "..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
  18. More "secure" by Anonymous Coward · · Score: 0

    The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons

    They're also a lot less vulnerable to allowing Web users to control their browsing experience, which is the main impetus behind the change. Users were never supposed to get powerful extensions like AdBlock, NoScript, and Greasemonkey, so Mozilla is righting that wrong.

  19. Arstechnica? Bwaaahahahaha - they're weak... apk by Anonymous Coward · · Score: 0

    I also WIPED ARSTECHNICA OFF THE MAP in 2003-2006 @ Windows IT Pro easily - Jeremy Reimer's website? Removed by Shaw of Canada his ISP & hosting provider + he was put on a tracking ticket by them for email harassment... his "henchman" Jay Little said "I am an EXPERT on Exchange" which much to his dismay worked against him @ "The Memory Optimization Hoax" where I proved to them AND Dr. Mark Russinovich (former "co-worker" of mine @ Sunbelt where we retailed our wares there & he bitched I outsold his work, awww) that that technology unhalted & sped up frozen Exchange Servers USING MICROSOFT'S OWN DOCUMENTATION TO DO IT (clearmem.exe is the same tech, but not GUI, & I designed the 1st program of that nature in GUI no less).

    Jay Little then trolled & stalked me to other websites where I annihilated him on ramdrives as well - he was banned + had his website @ CrystalTech removed by that hosting provider for libeling me.

    FOOLS... you're the same kind of scum, doubtless from that shithole of known online losers.

    APK

    P.S.=> Bad move bringing up the DOLTS of Arstechnica - all they can do is "gossip" like old biddies behind my back, BUT OUTSIDE THEIR "PRIVATE PLAYPEN"? The results are QUITE different, see above, lol... apk

  20. "Well, Golly" it's Zontar the douche! Proof? by Anonymous Coward · · Score: 0

    See subject: Right here https://science.slashdot.org/c... only he calls me "andy" for some odd reason & now he posts AC to try 'hide it' not remembering he calls me that.

    * LOL - didn't LIKE having it shown how I HANDED YOU YOUR ASS BEFORE for your utter fuckups vs. myself (that's only a tiny sample too - I have TONS more bookmarked on you imbecile), did you, troll -> https://slashdot.org/comments.... ?

    APK

    P.S.=> You pitiful little COWARDLY fake name online using fuck - Look: IF you're going to play "I can hide" games (no, stupid, you can't - you're TOO fucking stupid & obviously have the intellect of a carrot, as well as the same memory span dimwit - YOU GAVE YOURSELF AWAY), learn how to do it right, ok?... apk

    1. Re:"Well, Golly" it's Zontar the douche! Proof? by Zontar+The+Mindless · · Score: 1

      The AC you're responding to wasn't me. Just so you know.

      --
      Il n'y a pas de Planet B.
  21. Re:Arstechnica? Bwaaahahahaha - they're weak... ap by Anonymous Coward · · Score: 0

    "wiped off the map"? arstechnica appears to be alive & thriving.

  22. So do ticks, fleas, roaches & bedbugs by Anonymous Coward · · Score: 0

    I got the best of arstechnica where it matters. Tech (which they claim to be good at? I know not). Outside their private playpen where they delete posts and alter posts of those that get the best of them, they are nothing. Heck I even caught MWNH & GOD usernames using the SAME EMAIL on both accounts there too.

    * They're scumbags of the HIGHEST order... no questions asked, especially "GOITER MAN" (ugly fat fuck) PeterB/Dr. Pizza, Jeremy Reimer & his henchman (who reimer had to use he's so technically inept) Jay Little.

    (Too bad they took a former "co-worker' of mine for the ride too in Dr. Mark Russinovich - as Microsoft's OWN DOCUMENTATION floored them ALL on how memory optimization tech unhalts Exchange Servers that are jammed up!)

    APK

    P.S.=> See subject - says it all! You can *TRY* to post "days later", trolling by UNIDENTIFIABLE AC POSTS too, thinking I won't see it so you can attempt to "get the last word" but, I'll be there CRUSHING YOU, again, as always... lol! apk

  23. Like TrollingForHostsFiles wasn't you? by Anonymous Coward · · Score: 0

    See subject: Until you were caught admitting it in links before this where you FINALLY admitted it was you https://slashdot.org/comments.... ?

    * Coming along a week or so later trying to "cover your ass" with more lies doesn't cut it... you did yourself in LONG ago.

    APK

    P.S.=> You're the LITTLE BOY who cried wolf chump - you little DELUSIONAL FAKE NAME using trashbags online are ALL THE SAME - miserable bastards that don't have a thing to your name that others say is decent so you try spread your misery to others, trolling - you're trash, and you KNOW it (these posts merely expose it)... apk

    1. Re:Like TrollingForHostsFiles wasn't you? by Zontar+The+Mindless · · Score: 1

      *eyeroll*

      --
      Il n'y a pas de Planet B.
  24. Zontar the mindless says my work's malware? by Anonymous Coward · · Score: 0

    See subject & https://slashdot.org/comments.... so time to make you "eat your words" scumbag:

    My code went thru verification by Mr. Steven Burn of Malwarebytes "I've been asked to further clarify so for the record yes I've seen the code, and yes, it is safe" FROM http://forum.hosts-file.net/vi...

    EACH company listed below HAD to rescind their false positives clearing my ware in 2012:

    1.) McAfee/Intel
    2.) ESET/NOD32
    3.) Symantec/Norton
    4.) Sophos
    5.) Comodo
    6.) ArcaVir
    7.) ClamAV
    8.) EmsiSoft
    9.) Qihoo360
    10.) Computer Associates

    * Which Mr. Burn of Malwarebytes can substantiate as well if you need more, scumbag... you're pitiful.

    APK

    P.S.=> Proof it's safe by 57++ antivirus' too (as well as having malwarebytes' folks see the code to audit it or they wouldn't host it for me as they still do years later now)-> https://www.virustotal.com/en/... ... apk