Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Mozilla The Internet

Hijacking Firefox Via Insecure Add-Ons 87

Posted by kdawson from the update-me-please dept.
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.
This discussion has been archived. No new comments can be posted.

Hijacking Firefox Via Insecure Add-Ons More

Hijacking Firefox Via Insecure Add-Ons

Comments Filter:

  • Don't trust public nets. (Score:5, Insightful)

    by Rob T Firefly ( 844560 ) on Thursday May 31, 2007 @08:49AM (#19335635) Homepage Journal

    [I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.
    This is why you shouldn't be performing anything as heavy as software updates over networks you don't totally trust, least of all the lash-ups in your average coffeehouse.

  • Re:Surely they're signed? (Score:3, Insightful)

    by pipatron ( 966506 ) <pipatron@gmail.com> on Thursday May 31, 2007 @09:03AM (#19335805) Homepage
    This is not about updates to Firefox - it's about updates for user-supplied add-ons.

  • Is it viable? (Score:5, Insightful)

    by Xtense ( 1075847 ) <xtense AT o2 DOT pl> on Thursday May 31, 2007 @09:13AM (#19335905) Homepage
    So ok, it is possible to do such an attack, but... is it viable enough as an attack vector? I mean, the attacker would have to sit 24/7 near an unsecure hotspot and/or an unsecure network to wait for a potential victim, and, as we know, firefox users aren't the majority, so this further narrows down the possibility of a successful attack. That's enough to call it improbable i think. Of course, since such an attack is possible, that can mean something, but, please, would anyone sit around coffee shops all day just to infect one person with spyware, when he could just, I dunno, send viruses or trojans through mail to computer illiterate people?

  • Re:fud? (Score:5, Insightful)

    by JesseMcDonald ( 536341 ) on Thursday May 31, 2007 @09:44AM (#19336317) Homepage

    Alternately, the Mozilla team could create their own signing certificate and add it to Firefox's whitelist; add-on developers could then get Mozilla-signed certificates for themselves. That would at least narrow the list a bit -- as you say, anyone can get a Verisign certificate, in part because there are just so many possible uses for one, but there should be few enough official Mozilla-signed add-on certificates to allow for some proper screening.

    The certificates could also be used for authentication of the updates themselves, as you suggested.

  • Subject to the laws of physics (Score:3, Insightful)

    by l0ne ( 915881 ) <millenomi.gmail@com> on Thursday May 31, 2007 @10:05AM (#19336621)

    Q: When am I at risk?

    A: When you use a public wireless network, an untrusted Internet connection, or a wireless home router with the default password set.

    That means that this attack only works if the local area network is hijacked! Which reduces its danger substantially for the population at large as the huge majority of home connections is on its own link.

    It is only a problem in the situation above (that are atypical nowadays) and in work or other large-network settings where it is possible to connect an untrusted computer to the network.

    IT ALSO MEANS IT IS NOT FIREFOX SPECIFIC, as hijacking a connection can lead to many unpleasant things that may be as dangerous as that without requiring Firefox (ie grabbing passwords!).

  • Re:fud? (Score:5, Insightful)

    by DaveWick79 ( 939388 ) on Thursday May 31, 2007 @10:25AM (#19337005)
    The different is, everyone knows IE is insecure because of this. But everyone expects Firefox to be this totally secure, unhackable browser when it really isn't. The point is that the same things can be done on both browsers.

    Another point is how this affects the Google Gears project that was in a previous post. Now you have cross platform hackability for an application that could potentially host your critical apps.

  • Re:fud? (Score:3, Insightful)

    by itlurksbeneath ( 952654 ) on Thursday May 31, 2007 @11:24AM (#19338067) Journal

    I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

    You need to read up on what the ssl certs are for. They are not for trust, they are for verification. Any dork can create an ssl cert and say he's John "Maddog" Hall, but to get a VERIFIED certificate from a issuing agency saying you're indeed John "Maddog" Hall requires a LOT of verification of identity.

    If you choose to trust an un-verified cert, then you are right back in the same boat as TFA is talking about.

Slashdot Top Deals

Say "twenty-three-skiddoo" to logout.

Close