Danger from Firefox extensions
Student Christopher Soghoian has warned users to beware of Firefox extensions from companies such as Google, Yahoo and AOL, which are not distributed using the Mozilla Add-ons web page. In most cases they use an insecure connection when testing for and downloading new updates. If a potential attacker has access to the network being used - for example on an open wireless network - it is apparently straightforward to intercept the connection and cause the browser to download and install a backdoor without the user's knowledge.
Soghoian cites the popular Google Pack / Google Toolbar as an example. By contrast, most small extensions are not affected, as the developers generally utilise the Mozilla infrastructure, which uses secure SSL connections, to distribute them. The mechanisms for signing code implemented in Firefox/Mozilla are so far pretty under-developed and are therefore also little used.
In addition to the Mozilla development team, Soghoian also informed a number of large companies of this problem 45 days ago. The Mozilla team released an updated version of the Firefox / eBay extension within two days. No other response has yet been documented.
To protect themselves, users should temporarily deactivate the affected extensions, at least when surfing over insecure networks. However determining which particular extensions are affected may not be simple - in case of doubt, all extensions that are not distributed via the official Mozilla / Firefox website should be considered unsafe. The Mozilla team is of the opinion that responsibility lies with the respective vendors, but is nevertheless considering revising the update mechanism in time for Firefox 3.
- A Remote Vulnerability in Firefox Extensions from Christopher Soghoian