Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hijacking Firefox Via Insecure Add-Ons

Posted by kdawson on Thu May 31, 2007 08:42 AM
from the update-me-please dept.
Security Mozilla The Internet
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.
+ -
story

Related Stories

[+] Technology: Zero Day Hole In Google Desktop 113 comments
40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hijacking Firefox Via Insecure Add-Ons 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • fud? (Score:4, Interesting)

    by TinBromide (921574) on Thursday May 31 2007, @08:48AM (#19335627)
    They mention the google plugin. Doesn't google offer almost all of its firefox offerings as IE search bars, desktop agents, and stuff like that. So why is the update structure for firefox different than, say, google search bar on IE?

    • Re: (Score:2, Informative)

      by Anonymous Coward
      You're right, but while FF is made to be extended with plugins, IE users rarely install addons (the most with at least on addon on IE I have seen was Google toolbar). That's why FF is a dangerous target than IE.

      The problem aabou the use of HTTP for updates is that mozilla.org takes weeks to update the release on their addon website (simpy plugin, for example, was affected by this: the 0.3 release took more than 2 weeks to appear on addons.mozilla.org). Otis, the simpy admin, told me about this while I wrote

      • Re:fud? (Score:4, Interesting)

        by mhall119 (1035984) on Thursday May 31 2007, @09:17AM (#19335947) Homepage Journal
        Any developer can create their own SSL Certificates for free. It's getting a certificate that's been signed by a vendor already in Firefox's whitelist that they are paying for. I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

        But using HTTPS wouldn't solve this problem either, because Verisign will sell a certificate to anyone with money. What should be happening is that developers sign their packages like they do for DEB and RPM package distros. That way you always know that you're getting your updates from the same person, no matter what your internet connection.

        • Re:fud? (Score:5, Insightful)

          by JesseMcDonald (536341) on Thursday May 31 2007, @09:44AM (#19336317) Homepage

          Alternately, the Mozilla team could create their own signing certificate and add it to Firefox's whitelist; add-on developers could then get Mozilla-signed certificates for themselves. That would at least narrow the list a bit -- as you say, anyone can get a Verisign certificate, in part because there are just so many possible uses for one, but there should be few enough official Mozilla-signed add-on certificates to allow for some proper screening.

          The certificates could also be used for authentication of the updates themselves, as you suggested.

          • Re:fud? (Score:4, Informative)

            by Myen (734499) on Thursday May 31 2007, @10:09AM (#19336709)
            Unfortunately, doing that would sort of imply Mozilla would need to vouch for the extension developers (hey, they're letting them use a cert; that's what it's for, right?). As it is they barely have enough people to just try installing extensions before approving for the main site...

            If it's just extension updates anyway, and extensions already act as a part of Firefox (i.e. they're not sandboxed... which they can't be in the current architecture)... They might as well just require SSL for updates, and people who don't use the Mozilla update service can just ship their own (self-signed) cert with the extension. Of course, some authors will still work around that by doing their own thing anyway. (There were, at one point, very, very insecure extensions that... load the whole toolbar at runtime using eval() by pulling data from unsecured sites.)

        • I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

          You need to read up on what the ssl certs are for. They are not for trust, they are for verification. Any dork can create an ssl cert and say he's John "Maddog" Hall, but to get a VERIFIED certificate from a issuing agency saying you're indeed John "Maddog" Hall requires a LOT of verification of identity.

          If you choose to trust an un-verified cert, then you are right back in the same boat as TFA is talking about.

    • Re:fud? (Score:5, Insightful)

      by DaveWick79 (939388) on Thursday May 31 2007, @10:25AM (#19337005)
      The different is, everyone knows IE is insecure because of this. But everyone expects Firefox to be this totally secure, unhackable browser when it really isn't. The point is that the same things can be done on both browsers.

      Another point is how this affects the Google Gears project that was in a previous post. Now you have cross platform hackability for an application that could potentially host your critical apps.

      • Re: (Score:3, Interesting)

        by jedidiah (1196)
        It's pretty easy to completely disable extensions. It won't "spoil your browser experience" either.

        That would be the big difference here between firefox and explorer.

        The real problem is when website authors make network dependencies with this kind of crap and scorn open standards. While many firefox extensions are nifty they are entirely optional. This is in stark contrast to the current trend in requiring flash or other plugins for every stupid little thing.

        Quicktime buttons are another fun one.

  • Don't trust public nets. (Score:5, Insightful)

    by Rob T Firefly (844560) on Thursday May 31 2007, @08:49AM (#19335635) Homepage Journal

    [I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.
    This is why you shouldn't be performing anything as heavy as software updates over networks you don't totally trust, least of all the lash-ups in your average coffeehouse.

      • This is why one of the problem is automatical updates, multiple untrusted sources of updates and update systems that allow those by default.


        You mean like the Google Toolbar for IE and about a bazillion other ActiveX applets?

        This problem is not Firefox-specific.

        However, it's important to note that Firefox does not allow updates from untrusted sources by default. It comes configured with updates allowed only from addons.mozilla.org and updates.mozilla.org.

        Furthermore, for those of you with notebooks/WiFi -- for God's sake, turn off Automatically check for Updates to: Firefox, Installed Add-Ons and Search Engines from the 'Updates' tab in the 'Advanced' options, especially if you're going to be spending time in a coffee bar. And before you say: "Well, that's in the Advanced section and we shouldn't expect normal people to have to edit those options" I say horsepuckey. If you're bright enough to be using Firefox instead of IE, you should be bright enough to know how to configure it in a secure manner.

  • How about setting your updates (yes, even for add-ons) to NOT download automatically? That way you can at least control when they download...
  • ...and what happened to Google's "Do no evil" slogan?

    Then again these days Firefox itself pretty much forces you to update if you want to easily install extensions. What is with forcing people to download the plugins at install time? Last time I checked there was a plugin that allowed you to download to install later. That makes no sense. Why do I need a plugin to do this???

    I use to have a stable browser with 1.0. With 1.5 and 2.0 I often have to restart the thing if I open lots of tabs and some of the page
    • You laughed at IE for being full of stuff nobody uses.

      You derided Opera's minuscule userbase.

      You vied for the top dog spot.


      Well, now you're on your way to getting there. You're gaining markt share. With growing market share come the demands of progressively dumber users - it's just the nature of the technology market. FF's code needs a good clean-up.

  • Addons from addons.mozilla.org not vulnerable (Score:5, Informative)

    by CTho9305 (264265) on Thursday May 31 2007, @09:08AM (#19335845) Homepage
    The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org/ [mozilla.org] - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

    Since it's not mentioned in the summary, it's important to reiterate that this takes advantage of non-secure update mechanisms used by some addons. The addons.mozilla.org site will only host extensions that update from addons.mozilla.org through the built-in mechanism, which is not vulnerable to this attack. This is an extension-specific issue, and would most likely apply to any sort of addon for any software that doesn't verify security certificates.

  • Maybe if you spent more time with your plug-in's they wouldn't feel that way. Have some compassion!

  • Is it viable? (Score:5, Insightful)

    by Xtense (1075847) <xtense @ o 2 .pl> on Thursday May 31 2007, @09:13AM (#19335905) Homepage
    So ok, it is possible to do such an attack, but... is it viable enough as an attack vector? I mean, the attacker would have to sit 24/7 near an unsecure hotspot and/or an unsecure network to wait for a potential victim, and, as we know, firefox users aren't the majority, so this further narrows down the possibility of a successful attack. That's enough to call it improbable i think. Of course, since such an attack is possible, that can mean something, but, please, would anyone sit around coffee shops all day just to infect one person with spyware, when he could just, I dunno, send viruses or trojans through mail to computer illiterate people?
    • The person doesn't have to actually be there. You could disguise a server as a book on a bookshelf in a coffee shop and infect and collect all day.

  • Firefox extensions are insecure (Score:3, Interesting)

    by 140Mandak262Jamuna (970587) on Thursday May 31 2007, @09:15AM (#19335925) Journal
    Right from day one I realized that the extensions provided by Firefox could become an security issue. I use very few of them. Scriptblock, Adblock and almost nothing else. And I disable auto updates. But on the other hand, Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

    Yes, one should be careful about the extensions, and use them carefully. And one should be careful about using WiFi in coffee shops and hotels. I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network. I have asked my sysadmin to set up a separate network for laptops that might be used outside our intranet that is not part of the trusted intra net.

    • I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network.
      Wow. You kids these days and your descriptions of the clap!
    • Right from day one I realized that the extensions provided by Firefox could become an security issue.[...]

      OK, so it's about the "extensions provided by Firefox"? No, it's explicitly about extensions not provided by firefox but strapped on by some mechanism devised by the extension's developer, be it Google, Yahoo, whomever.

      Extensions provided by Firefox are downloaded via a secure connection - it's your Google-toolbar that comes unprotected.

      So, if you don't have a clue, read the article. If you still hav

    • Re: (Score:3, Interesting)

      by WalterGR (106787)

      Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

      Uh... not true at all. Firefox extensions can contain (and run) executable code.

      As the Greasemokey security vulnerability [oreillynet.com] demonstrated, web pages can "script" Firefox extensions.

      ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.

      (addons.mozilla.org is having problems right now, otherwise I'

  • Sign your addons, please.. (Score:5, Informative)

    by QuantumG (50515) <qg@biodome.org> on Thursday May 31 2007, @09:18AM (#19335979) Homepage Journal
    How to sign a Firefox Extension [mercille.org] by Frederic Mercille.

    It's not hard (for anyone who can make an add-on).

  • Subject to the laws of physics (Score:3, Insightful)

    by l0ne (915881) <millenomi@NoSpAm.gmail.com> on Thursday May 31 2007, @10:05AM (#19336621)

    Q: When am I at risk?

    A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set.

    That means that this attack only works if the local area network is hijacked! Which reduces its danger substantially for the population at large as the huge majority of home connections is on its own link.

    It is only a problem in the situation above (that are atypical nowadays) and in work or other large-network settings where it is possible to connect an untrusted computer to the network.

    IT ALSO MEANS IT IS NOT FIREFOX SPECIFIC, as hijacking a connection can lead to many unpleasant things that may be as dangerous as that without requiring Firefox (ie grabbing passwords!).

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.