Hackers can drop malicious code into systems running Mozilla's Firefox when the browser is armed with any of several high-profile add-ons, including Google Toolbar and Yahoo Toolbar, a researcher revealed today. Mozilla has acknowledged the risk posed by some extensions.
Christopher Soghoian, a Ph.D student at Indiana University, outlined how "man-in-the-middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.
The bulk of Firefox extensions -- small plug-ins that add features or functionality, and are almost universally created by volunteer developers or hobbyists -- are hosted and updated from Mozilla's own SSL-secured site, and are not vulnerable to this attack, Soghoian said. A number of broadly used third-party extensions, however, update from their own unsecured servers.
"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."
Mozilla revised the documentation for crafting and maintaining Firefox extensions after being contacted by Soghoian to post a prominent warning that urges developers to host updates on a SSL-secured site.
Public wireless access points, like those at airports and coffee shops, would be the most likely scene of an attack, because it's relatively easy there for a hackers' laptop to mimic a legitimate update server. But Soghoian warned that other locales would be just as dangerous.
"Any network where you're not running the show puts you at risk," he said. "If you're using your neighbor's wireless, for example." Users of the Tor anonymity network would also be vulnerable, Soghoian added. "There you're trusting your DSN to someone you don't know."
He listed Google Toolbar, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker among the at-risk add-ons, but couldn't come up with an exhaustive catalog. "I didn't have time to test every extension," he said, "so I went to Download.com and looked at the top 20."
Ironically, some, such as Netcraft's, are designed to protect users against threats. "Users think 'I'm gonna make myself safer' by installing this extension, but they end up putting themselves at risk."
One vulnerable extension -- the eBay-created, Mozilla-sanctioned add-on for French, German, and British online auction users -- was shifted to a secure server within days, Soghoian said.
Other vendors contacted by Soghoian, however, were less responsive.
"It was really frustrating. Firefox was fantastic, but some of the other firms, they either ignored my e-mails or didn't reply," Soghoian said. He fingered Google Inc. as especially uncooperative. Between April 16 and May 24 he sent Google's security team five e-mails, but received only one reply, on May 25, that said the group was working on a fix that was to be deployed before today. As of today, however, Google Toolbar was being served from an unsecured URL.
"This was really eye-opening," said Soghoian, who interned with Google's Application Security Team last summer.
"Vendors should be doing everything possible to encourage researchers," he said. "They should be encouraging us to come to them rather than sell the vulnerabilities to iDefense or Tipping Point. Ignoring researchers isn't the best way to encourage an open dialog."
Soghoian recommended that until affected extension vendors release secure updates, users should either remove or disable all Firefox extensions and toolbars that have not been downloaded from the official Mozilla Add-Ons site.
In an e-mail today, Mozilla's director of ecosystem development, Mike Shaver, admitted the danger that insecurely hosted and updated add-ons pose, and urged extension developers to fix the problem.
"We strongly encourage the providers of such add-ons to remedy their hosting situation promptly, to minimize the exposure to the users of their software," Shaver said. "Users of add-ons hosted on AMO, including all of the ones we've been working on, are not at risk here."