Bugtraq mailing list archives

Re: Evil side of Firefox extensions

From: "Henri Cook" <henri () orion-hosting co uk>
Date: Wed, 1 Mar 2006 19:40:08 -0000 (GMT)


This is definitely a good idea, although I don't think it should be a
compulsory feature (optional would be nice). If more people than just you
have access to a machine at the end of the day there's no way to guarantee
security. This is just another method of stealing information like a
keylogger would (although admittedly, more intelligent).
This isn't so much a bug as it would be user error (in my opinion), you
choose what extensions you want to install and if you're foolish enough to
install an extension from an untrusted source then you can expect horrible
things to happen.

Henri
henri[at]theplayboymansion[dot]net

Background
----------
Firefox is very popular and secure web browser. Until now, it is used by
milions of people and thousands of internet clubs. One of the great
features of
Firefox are extensions. You can use them to create things inside your
browser
which are beyond your imagination. But everything has an other side..

Overview
--------
Writting a powerfull extension is extremely simple process. Extensions are
allowed to do _everything_ with your browser: They can change the skin,
block
banners on pages or even create network connection and send data through
it to
the internet. The worst of all is that _anyone_, who has physical access
to
your computer, can install extensions into your browser _without_ your
notification.

As an example, I created a simple html form sniffer. You can download it
here:
http://azurit.gigahosting.cz/ffsniff/

It was tested only with Firefox 1.0.x and 1.5.x .

FFsniFF is a simple Firefox extension, which transforms your browser into
the
html form sniffer. Everytime the user click on 'Submit' button, FFsniFF
will try
to find a non-blank password field in the form. If it's found, entire form
(also
with URL) is sent to the specified e-mail address.

Solution
--------
I think that the solution for this should be in the ability of locking the
installation of extensions with a password. Every user will be able to
read hash
of the password (so the browser can verify it) and only system
administrator
will be allowed to change it (it can be stored for example in registers
[Windows] or somewhere in /etc dir [Linux]).


azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk

Current thread:

Evil side of Firefox extensions azurIt (Mar 01)
- Re: Evil side of Firefox extensions Henri Cook (Mar 01)
- Re: Evil side of Firefox extensions Ben (Mar 01)
- Re: Evil side of Firefox extensions Mike Owen (Mar 01)
- Re: Evil side of Firefox extensions Dave Korn (Mar 01)
- <Possible follow-ups>
- Re: Evil side of Firefox extensions azurIt (Mar 01)
  - Re: Evil side of Firefox extensions Michael Ekstrand (Mar 01)
- RE: Evil side of Firefox extensions salexander (Mar 01)