Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Mozilla The Internet

Hijacking Firefox Via Insecure Add-Ons 87

Posted by kdawson from the update-me-please dept.
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.
This discussion has been archived. No new comments can be posted.

Hijacking Firefox Via Insecure Add-Ons More

Hijacking Firefox Via Insecure Add-Ons

Comments Filter:

  • fud? (Score:4, Interesting)

    by TinBromide ( 921574 ) on Thursday May 31, 2007 @08:48AM (#19335627)
    They mention the google plugin. Doesn't google offer almost all of its firefox offerings as IE search bars, desktop agents, and stuff like that. So why is the update structure for firefox different than, say, google search bar on IE?

  • don't automatically update (Score:2, Interesting)

    by miowpurr ( 1004277 ) on Thursday May 31, 2007 @08:58AM (#19335737) Homepage
    How about setting your updates (yes, even for add-ons) to NOT download automatically? That way you can at least control when they download...

  • Firefox extensions are insecure (Score:3, Interesting)

    by 140Mandak262Jamuna ( 970587 ) on Thursday May 31, 2007 @09:15AM (#19335925) Journal
    Right from day one I realized that the extensions provided by Firefox could become an security issue. I use very few of them. Scriptblock, Adblock and almost nothing else. And I disable auto updates. But on the other hand, Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

    Yes, one should be careful about the extensions, and use them carefully. And one should be careful about using WiFi in coffee shops and hotels. I am far more worried about our salesmen plugging in their lap top in some hotel network in Bangkok, pick up an infection and coming to corporate HQ and plug that laptop in our intranet, behind the firewall, in the trusted network. I have asked my sysadmin to set up a separate network for laptops that might be used outside our intranet that is not part of the trusted intra net.

  • Re:fud? (Score:4, Interesting)

    by mhall119 ( 1035984 ) on Thursday May 31, 2007 @09:17AM (#19335947) Homepage Journal
    Any developer can create their own SSL Certificates for free. It's getting a certificate that's been signed by a vendor already in Firefox's whitelist that they are paying for. I would rather each developer create their own self-signed certificate, then I get to decide who to trust, not Verisign.

    But using HTTPS wouldn't solve this problem either, because Verisign will sell a certificate to anyone with money. What should be happening is that developers sign their packages like they do for DEB and RPM package distros. That way you always know that you're getting your updates from the same person, no matter what your internet connection.

  • Welcome to the wonderful world of Bloatware (Score:3, Interesting)

    by BlackCobra43 ( 596714 ) on Thursday May 31, 2007 @09:59AM (#19336531)
    You laughed at IE for being full of stuff nobody uses.

    You derided Opera's minuscule userbase.

    You vied for the top dog spot.


    Well, now you're on your way to getting there. You're gaining markt share. With growing market share come the demands of progressively dumber users - it's just the nature of the technology market. FF's code needs a good clean-up.

  • Re:fud? (Score:3, Interesting)

    by jedidiah ( 1196 ) on Thursday May 31, 2007 @11:22AM (#19338045) Homepage
    It's pretty easy to completely disable extensions. It won't "spoil your browser experience" either.

    That would be the big difference here between firefox and explorer.

    The real problem is when website authors make network dependencies with this kind of crap and scorn open standards. While many firefox extensions are nifty they are entirely optional. This is in stark contrast to the current trend in requiring flash or other plugins for every stupid little thing.

    Quicktime buttons are another fun one.

  • Re:Firefox extensions are insecure (Score:3, Interesting)

    by WalterGR ( 106787 ) on Thursday May 31, 2007 @01:11PM (#19339833) Homepage

    Firefox is not so closely tied to the OS that they could take this breach, elevate privileges and take over a system, like ActiveX vulnerabilities.

    Uh... not true at all. Firefox extensions can contain (and run) executable code.

    As the Greasemokey security vulnerability [oreillynet.com] demonstrated, web pages can "script" Firefox extensions.

    ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.

    (addons.mozilla.org is having problems right now, otherwise I'd point out some extensions that have .EXEs in them. I looked into it before and one extension that had them added support for 3rd party download managers - don't recall the name...)

Slashdot Top Deals

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Close