Wednesday, November 28, 2007

Firefox Extensions That You Thought Were Safe

Chris Soghoian has proved that some very popular Firefox add-ons, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar may pose a security threat.



By design, each Firefox extension is hard-coded with a unique Internet address that will contact the creator’s update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.


Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).


As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.


No comments:

Related Articles by Labels

Bookmark this

Did my post help you? Help others too by just taking a minute to bookmark this in any bookmark you use