Hijacking Firefox Via Insecure Add-Ons

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

No shit!

[Anonymous Coward]

This is why extensions should all be signed or have the update servers SSL cert hard-coded.

We can prevent attacks like this easily.

Re:fud?

[Anonymous Coward]

You're right, but while FF is made to be extended with plugins, IE users rarely install addons (the most with at least on addon on IE I have seen was Google toolbar). That's why FF is a dangerous target than IE.

The problem aabou the use of HTTP for updates is that mozilla.org takes weeks to update the release on their addon website (simpy plugin, for example, was affected by this: the 0.3 release took more than 2 weeks to appear on addons.mozilla.org). Otis, the simpy admin, told me about this while I wrote to him telling that 0.3 was released on the author's website and I suggested to update the simpy page about FF extension.

On the other side, few developers can afford a ssl certificate, so that's why most updates happens over http (and not on mozilla servers)

pieggi

google toolbar

[Anonymous Coward]

unfortunately that threat is very much real, it happened to my father using Firefox and suspicious web-sites, he just kept clicking 'yes' as the site asked him to.. after I spend countless hours of installing/configuring WinXP to be secure.. bah!
http://www.channelregister.co.uk/2006/07/20/google _toolbar_trojan/ [channelregister.co.uk]

Re:Don't trust public nets.

[morgan_greywolf]

This is why one of the problem is automatical updates, multiple untrusted sources of updates and update systems that allow those by default.

You mean like the Google Toolbar for IE and about a bazillion other ActiveX applets?

This problem is not Firefox-specific.

However, it's important to note that Firefox does not allow updates from untrusted sources by default. It comes configured with updates allowed only from addons.mozilla.org and updates.mozilla.org.

Furthermore, for those of you with notebooks/WiFi -- for God's sake, turn off Automatically check for Updates to: Firefox, Installed Add-Ons and Search Engines from the 'Updates' tab in the 'Advanced' options, especially if you're going to be spending time in a coffee bar. And before you say: "Well, that's in the Advanced section and we shouldn't expect normal people to have to edit those options" I say horsepuckey. If you're bright enough to be using Firefox instead of IE, you should be bright enough to know how to configure it in a secure manner.

Addons from addons.mozilla.org not vulnerable

[CTho9305]

The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org/ [mozilla.org] - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.

Since it's not mentioned in the summary, it's important to reiterate that this takes advantage of non-secure update mechanisms used by some addons. The addons.mozilla.org site will only host extensions that update from addons.mozilla.org through the built-in mechanism, which is not vulnerable to this attack. This is an extension-specific issue, and would most likely apply to any sort of addon for any software that doesn't verify security certificates.

Re:Forced automatic update is evil

[Anonymous Coward]

This has nothing to do with Firefox's built-in forced updates. The problem here is extensions you download from sites other than addons.mozilla.org, since they might include their own non-standard update methods which don't verify security certificates. Posting AC because I have to go to work and don't want to wait 10 minutes to reply.

Sign your addons, please..

[QuantumG]

How to sign a Firefox Extension [mercille.org] by Frederic Mercille.

It's not hard (for anyone who can make an add-on).

Re:fud?

[Myen]

Unfortunately, doing that would sort of imply Mozilla would need to vouch for the extension developers (hey, they're letting them use a cert; that's what it's for, right?). As it is they barely have enough people to just try installing extensions before approving for the main site...

If it's just extension updates anyway, and extensions already act as a part of Firefox (i.e. they're not sandboxed... which they can't be in the current architecture)... They might as well just require SSL for updates, and people who don't use the Mozilla update service can just ship their own (self-signed) cert with the extension. Of course, some authors will still work around that by doing their own thing anyway. (There were, at one point, very, very insecure extensions that... load the whole toolbar at runtime using eval() by pulling data from unsecured sites.)

Gaa...read the article if you have no clue at all

[phooka.de]

Right from day one I realized that the extensions provided by Firefox could become an security issue.[...]

OK, so it's about the "extensions provided by Firefox"? No, it's explicitly about extensions not provided by firefox but strapped on by some mechanism devised by the extension's developer, be it Google, Yahoo, whomever.

Extensions provided by Firefox are downloaded via a secure connection - it's your Google-toolbar that comes unprotected.

So, if you don't have a clue, read the article. If you still have any doubt that you fully understand it, don't comment on it.