Christopher Soghoian, the researcher who attracted the attention of the FBI last year by releasing a tool that could be used to generate fake boarding passes, is at it again. Well, at hunting down weaknesses in security that is.
This time, Christopher has identified an exploitable vulnerability in the upgrade mechanism found in a number of notable Mozilla Firefox extensions. Essentially, it has to do with the fact that some of the most widely used extensions, including those from Google, Yahoo and AOL, do not use secure connections when performing an auto-update.
To its credit, Firefox does at least prompt the user first when updates are detected as available. However, some commercial extensions, including those made by Google, have disabled this.
This makes it possible for a “man-in-the-middle” attack to be executed against the hapless user. In the case of a successful attack, an attempt by the extension to locate latter versions of itself could be redirected to a hostile site. A malicious extension masquerading as the real deal would then be automatically downloaded in the background, and run without the user noticing anything at all.
Such an attack will not work against a SSL enabled web server.
Detractors might argue that Firefox extensions only run within the browser itself, and not as a superuser. Hence, any potential damage should be limited. Even in such a case however, it would still be possible for the malicious extension to actively spy on the browsing activities of the victim, as well as any number of shenanigans involving network access such as sending spam and performing port scans.
To fix the problem, ensure that all your extensions are downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, simply delete the extension, and download it from the Add-ons site again.
Now that you have run through your extensions list, were you vulnerable to this security hole? Also, speaking of extensions, what are your installed extensions? Join the discussion.