Firefox add-ons make the browser less secure

Posted on Friday, Jun 01 2007 @ 00:15 CEST by Thomas De Maesschalck
Chris Soghoian discovered Firefox add-ons inadvertently create security holes that could be used by criminals to steal sensitive data from millions of users.

We aren't talking about some shady add-ons created by amateurs, Soghoian claims the vulnerability exists for some of the most popular Firefox add-ons like the Google Toolbar, Yahoo Toolbar, Del.icio.us toolbar, Facebook Toolbar, Netcraft Anti-Phishing Toolbar and many others.

Washington Post writes:
Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).

As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.

The problem is especially dangerous with Google's toolbar. Firefox usually will alert users that new versions of installed add-ons are available and give users the option to decline or accept the updates. But Soghoian said Google's toolbar (which is bundled with Firefox) updates without any such prompts.

"Typically, when Firefox sees that an update for any installed extension becomes available, upon next browser restart Firefox will prompt the user 'do you wish to install the update,'" Soghoian said. "However, Google disabled this, and thus, if Firefox sees that there is an update for any google made extension, upon next restart, Firefox automatically downloads and installs the update without prompting the user."


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments