Popular Firefox Add-Ons Open Millions To New Attack

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."

The sky isn't falling, yet.

[Anonymous Coward]

According to the article you still need a malicious addon installed to exploit this. At which point you're boned anyway.

This article is alarmist rubbish.

[Anonymous Coward]

What a pile of crap. Heck, NoScript's author outlined it far more eloquently that I ever could: https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/

Re:This article is alarmist rubbish.

[inode_buddha]

Clickable links get more traffic [hackademix.net] around here. Re-posting the link for you from my login acct because logins tend to have more cred.

Re:This article is alarmist rubbish.

[nmb3000]

This just in: Installing malware is bad for your computer. Film at 11.

What a pile of crap.

Agreed. Frankly this just looks like more FUD against browser addons and a lame attempt to justify Mozilla's looming walled garden [mozilla.org] and continued Chromification [mozilla.org] approach to Firefox addons. See also: slow death of the personal computer.

Re:This article is alarmist rubbish.

[Anonymous Coward]

The low level extension mechanism is THE thing that separates FF from other browsers. The only thing left, really. If they eliminate it, there will be no reason left to use FF, and what little market share they have remaining will evaporate.

On the other hand, it will please their advertiser sponsors, because it will become much harder for a FF user to retain privacy from the data harvesters.

Re:

[gweihir]

While I agree that this is stupid, overblown FUD, it matters very little. Firefox (and most of Mozilla) is dying due to gross mismanagement and stupidity.

Add on developer here

[rsilvergun]

Not looking forward to re-writing my plugin. I might not bother. It's been a fun project but Mozilla is asking me to do a lot of work without much support (so far anyway). They're gonna yank the XUL UI language without there being good replacements (HTML doesn't work right from an addon context because of the security constraints) and take away overlays (that let me access web content without a major mess of code).

That said their reasons aren't too bad and have nothing to do with a walled garden. The addon signing is there to give them a kill switch so that if somebody sells their addon to a malware company and it starts spewing adds they can revoke the signature and shut it down. I get a couple offers a year to "buy" my plugin and figured out pretty quick what they were after (my plugin's under the Moz license, so they could fork it or submit patches to mainline if they just wanted to pitch in).

As for the chromification, that's because they want to make it snappier by doing multi-process. And that means not letting my add on hold up the main thread. Honestly that's the biggest thing holding back my efforts to port to Chrome. It's a nightmare to deal with all the callbacks and such when you can't even hold up the thread for simple things like writing a few bytes of preferences to disk. You don't want to know what I had to do just to get that working... OTOH they're right that it'll make the browser seem snappier. But to be blunt I don't care. I've got an 4 year old A10-5800 and I've yet to be able to do anything in my single threaded Firefox addon that even slows down that old workhorse.

Oh, and yeah, the article is B.S.. Even in Chrome I can call out to executable files that run with the users permissions (basically root if you're a Windows User). It looked like click bait to me so I didn't RTFA.

Re:

[Anonymous Coward]

You really should discuss things with the Mozilla's WebExtension devs, if you haven't. They're at the stage of wanting to know what APIs existing addons will need, so working with them to find out what'll make your life easier in the long run (assuming you're not 100% done with it already) could benefit you more than you'd expect. The NoScript dev isn't the only one who they want to work with to figure these things out, and for every person who helps them at this stage, many other addons can benefit from th

Re:

[Anonymous Coward]

mozilla has proven time and time again that THEY DON'T LISTEN. they WILL implement THEIR idea of a new addon api, and we have to live with it. period. "discuss", "talk" whatever, all you want, IT WON'T DO ANY GOOD.

TFA is nothing but FUD to discredit existing mozilla addon architecture to promote their MUCH LESS capable, less flexible new system.

Re:

[Rexdude]

Please consider making it available for Pale Moon [palemoon.org], an independently developed fork of Firefox that plans to retain XUL and everything else that made proper extensions possible. I'm not affiliated with them in any way, but I use it regularly and it is quite fast, provides a native 64-bit build and is less of a memory hog than FF.

Re:

[FrankHaynes]

If Giorgio Maone wrote it, then it's close to gospel. He's a Good Guy.

Re:

[Anonymous Coward]

Maybe you should first read the full article rather than the news reports about it. The research is not saying that NoScript or any other extensions are purposefully putting users at risk. Rather, it is saying that it is possible to launch attacks that just combine functions from different add ons *automatically* and stay under the radar during the vetting process. It is the Firefox architecture that is the issue, not the add ons. Read before you form an opinion.

Re:

[93 Escort Wagon]

"We are evolving both our core product and our extensions platform to build in greater security."

The last phrase in that sentence is missing the word "synergistically".

Pointing fingers.

[Anonymous Coward]

So it's the way Firefox sandboxes add-ons?.. the article makes it sound like NoScript & friends are the ones directly opening "millions to new attack.." when it just Firefox. So a malicious add-on has to be approved by Firefox's team and then downloaded by some sorry victim?
I don't think your average NoScript user is incompetent enough to download and install your "FreeToolbarFreeExtensionFree2016" add-on. I guess it makes a better story to paint NoScript and other vulnerable add-ons as the bad guys instead of Firefox itself.

QUICK! STOP USING NOSCRIPT!

[Anonymous Coward]

So we can shove the whitelisted ads we extorted money from with AdBlock down your throat!

That's pretty much what popped into my head the second I saw NoScript mentioned in the lead.

I have seen one of these in action

[fhuglegads]

I typed into the search bar in FF and it defaulted to Yahoo instead of Google. I uninstalled because I was afraid it might force me to play Dota instead of League of Legends, drink Pepsi instead of Coke and vote from Trump instead of Bernie. Crisis averted!

Re:

[WoOS]

I have seen one of these in action. I typed into the search bar in FF and it defaulted to Yahoo instead of Google.

Changing the default search provider happens quite often and does not need what this article describes i.e. one plugin using facilities of another. It is also easily correctable by *gasp* clicking on the looking glass icon next to the search bar and choosing your old search provider.

Please return your nerd card per express e-mail.

Re:

[Zontar The Mindless]

Whooooooosh...

This is stupid

[Anonymous Coward]

Extensions can get the user's passwords, cookies, and history. They can make the browser do whatever they want including, but just as an example, intercept online banking sessions and make transactions in the background. Basically, they do whatever they want and this is by design.

Re:

[Zontar The Mindless]

The AC you're responding to wasn't me. Just so you know.

Re:

[Zontar The Mindless]

*eyeroll*

Re:

[Zontar The Mindless]

Look, Ma--I can link to Bing, too!

http://www.bing.com/search?q=A... [bing.com]