Chris Soghoian discovered Firefox add-ons inadvertently create security holes that could be used by criminals to steal sensitive data from millions of users.
We aren't talking about some shady add-ons created by amateurs, Soghoian claims the vulnerability exists for some of the most popular Firefox add-ons like the Google Toolbar, Yahoo Toolbar, Del.icio.us toolbar, Facebook Toolbar, Netcraft Anti-Phishing Toolbar and many others.
Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).
As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.
The problem is especially dangerous with Google's toolbar. Firefox usually will alert users that new versions of installed add-ons are available and give users the option to decline or accept the updates. But Soghoian said Google's toolbar (which is bundled with Firefox) updates without any such prompts.
"Typically, when Firefox sees that an update for any installed extension becomes available, upon next browser restart Firefox will prompt the user 'do you wish to install the update,'" Soghoian said. "However, Google disabled this, and thus, if Firefox sees that there is an update for any google made extension, upon next restart, Firefox automatically downloads and installs the update without prompting the user."