Network News

X My Profile
View More Activity

A New Vector For Hackers -- Firefox Add-Ons

Makers of some of the most popular extensions, or "add-ons," for Mozilla's Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.

Mozilla Firefox

By design, each Firefox extension -- any of a number of free software applications that can be added to the popular open-source browser -- is hard-coded with a unique Internet address that will contact the creator's update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.

Mozilla has always provided a free hosting service for open-source extensions at But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).

As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.

According to Chris Soghoian, the Indiana University doctoral candidate who discovered the weakness, the vulnerability exists for some of the most popular Firefox add-ons, including Google Toolbar, Google Browser Sync, Yahoo Toolbar,, Facebook Toolbar, AOL Toolbar, Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. Ironically, at least two of the toolbars listed here are designed to help protect users from new security threats.

The problem is especially dangerous with Google's toolbar. Firefox usually will alert users that new versions of installed add-ons are available and give users the option to decline or accept the updates. But Soghoian said Google's toolbar (which is bundled with Firefox) updates without any such prompts.

"Typically, when Firefox sees that an update for any installed extension becomes available, upon next browser restart Firefox will prompt the user 'do you wish to install the update,'" Soghoian said. "However, Google disabled this, and thus, if Firefox sees that there is an update for any google made extension, upon next restart, Firefox automatically downloads and installs the update without prompting the user."

Soghoian details his research on his blog. He has a video demo of the hack here (it's a QuickTime movie).

Interestingly, this attack against any other poorly secured add-on prompts the user to take action before installing the malicious update. While most people when prompted to update their extensions probably would still click "OK," it's a noteable distinction nonetheless. See this video for an example of the same attack against a regular, unsecured add-on.

At this point, a number of security-wise readers will likely say, "So what? Hijacked or just plain old evil Wi-Fi hot spots are a known security threat." While that's certainly true, this is a new vector for exploiting that threat. What's more, the methods for hijacking the domain name system (DNS) server, which helps direct traffic on wired and wireless networks, are well-understood and easy to execute given publicly available tools.

Finally, there's something else that makes this threat even more worrisome. Security Fix has long urged Windows users to avoid running their system under the all-powerful "administrator" account for every day use. Instead, users are urged to set up "limited user" accounts that make it far more difficult for malicious software to be silently installed on their PCs. That's because limited user accounts generally do not have permission to install new software or modify key system settings.

But this attack against ill-secured, third-party Firefox add-ons would succeed regardless of which type of account the Windows user is using. That's because Firefox extensions are designed to install and update whether or not the underlying user account has permissions to install software.

Soghoian has published the responses (or lack thereof) that he received from each of the above-named extension makers. Most have not fixed the problem on their end. Google said it planned to have the vulnerability corrected by today's date, but over the weekend the company asked Soghoian to delay publishing his findings for a few days more while the company worked on a solution. Soghoian declined that request, saying he didn't think it was appropriate for Google to ask for a delay after ignoring his e-mails for 30 days.

UPDATE, 1:35 p.m. ET: Google got back to Security Fix today about the Firefox vulnerability. Here's what the company had to say: "We were notified of a potential vulnerability in some updates for Firefox extensions. A fix was developed for the Google extensions and users will be automatically updated with the patch shortly. We have received no reports that this vulnerability was exploited."

Dan Veditz, a member of Mozilla's security team, said the company's add-on documentation originally did not advise third-party developers to host updates on secured servers, although the group has modified the documentation to include that recommendation after being contacted by Soghoian.

"This is the sort of folkloric knowledge we just assumed everyone who is trying to do this would know," Veditz said. "It's a basic security concept, that if you're going to update your software from somewhere, do it over a secured channel."

Veditz added that Mozilla is seriously considering blocking all unsecured add-on updates in Firefox 3, the next version of browser, currently slated for release toward the end of the year.

By Brian Krebs  |  May 30, 2007; 5:01 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Spy vs. I-Spy: A Tale of Dueling Anti-Spyware Bills
Next: Apple, Mozilla Issue Security Updates


OK, so IE stinks. Netscape isn't much better. I'm not willing to buy a Mac just so I can surf safely...used to have Macs, but just can't justify the cost premium. Now we have problems w/Firefox...where's a guy to go???

Posted by: 22202 | May 30, 2007 9:25 AM | Report abuse

I was wondering how this extension help the attacker ;)

Posted by: MitmWatcher | May 30, 2007 9:28 AM | Report abuse

I agree that if someone hijacks a Wi-Fi hot spot and manipulates DNS requests the game is over for an unknowing user. As you mention that's not only true for the add-ons, that's true for nearly all downloads and requests made from this machine, which can then be manipulated. You could even use Drive-By Pharming to manipulate the DNS settings in an automated fashion.

One remark that I would add is, being able to install a malicious add-on is equal to executing a Trojan. An extension can do a lot more then just nicely format a Web page as Soghoian mentions as well. Read and write local files, read and write the Windows registry and open network sockets are just some of the power an extension has and these on multiple platforms. This could for example be used to bypass two-factor authentication or to do any other sort of mischief.
As mentioned here as well:

Another thought to keep in mind is, what would happen if someone uploaded a malicious extension update to the real upload server? Be it by hacking into the server or simply by owning the extension. Do you check the source of all downloaded updates or do you manually disable all the updates?

Posted by: Candid | May 30, 2007 9:32 AM | Report abuse

Quote: "where's a guy to go???"

Answer: to Linux or BSD.

Posted by: random walk | May 30, 2007 9:47 AM | Report abuse

Hmmm....I just right-clicked on the Google icon, clicked on customize and dragged to "cut" . The Google icon is now gone from my toolbar. Does that mean Google has been disabled in my Firefox?

Posted by: Duke | May 30, 2007 11:10 AM | Report abuse

Google Toolbar has completely messed up my computer and the worst part is that it won't delete! Any tips? Everytime I remove it from my computer it says it will complete removal upon restart, but never does.

Posted by: DC | May 30, 2007 12:01 PM | Report abuse

Candid> Read and write local files, read and write the Windows registry and open network sockets are just some of the power an extension has and these on multiple platforms.

In fact, an extension can do anything the user can do, because it can execute arbitrary programs. There is also the password manager; extensions have full access to any saved urls, userids, and passwords, and can transmit them to third parties at will.

While this is an important issue, and I'm glad Brian is pointing it out, there remains a good deal of risk due simply to extensions with vulnerabilities in them. Since extensions often process data from untrusted sources into other actions, people who control web content can exploit vulnerabilities in extensions. In some cases, this leads to arbitrary code execution.

random walk> Answer: to Linux or BSD.

This is 100% wrong. I mean, Linux and BSD are certainly superior choices for the general security problem, but in this case they are no help at all. Extensions are written in Javascript and chrome, which are completely platform independent. The only benefit, extension-wise, to not using Windows in this particular scenario is that an extension that invokes an external program will have to be written slightly differently to complete an attack on any other OS, but this is not difficult, and an attack against an extension can easily be polymorphous enough to handle this.

Posted by: antibozo | May 30, 2007 12:06 PM | Report abuse

You can run Firefox in "Safe-mode" without any extensions/add-ons if you are worried about this. This shortcut is installed by default next to the regular Firefox one, at least on Windows. I use Firefox like this when I'm working on things that I really don't want hijacked, as the add-ons are more likely to be hijackable than Firefox itself.

Posted by: Wilbur | May 30, 2007 12:14 PM | Report abuse

I think this gets to a point that Microsoft got right before it got it horribly wrong. The ActiveX debacle happened for two reasons: 1) Microsoft purposely un-sandboxed IE to let it serve as a Windows-centric development platform to compete with Java
2) Microsoft assumed (this being the mid-to-late 90s, when public-key encryption was just being adopted by mainstream businesses) that some sensible code/executable-signing mechanism would come forth so that people could sign code based on trust networks. The trust networks part turned out to be waaaaay more difficult that MS presumed. So ActiveX controls basically can be installed untrammeled.

Firefox, though thankfully less deeply embedded into the OS is now running into the same problem. Either the Internet develops a trusted authority to manage installation of things that can see any sort of personal (i.e. useful) data or all code has to be complete sandbox for seeing any useful data, or you'll end up with the same attack vector.

The problem seems to be that the trust network concept became subject to a closed-standard control battle that other parts of the Internet were born early enough to miss (e.g. DNS, TCP/IP, etc. - all basically open standards). This needs to be run by IETF or someone similar, not by Verisign/Microsoft or Google/CA or whatever. The fact that the descendent of DomainKeys has moved towards adoption is fairly promising, but we're still a long way from where we need to be.

Posted by: Eric E | May 30, 2007 12:28 PM | Report abuse

Eric E, while you make some good points, I don't understand why you're suggesting that the code signing problem is difficult or involves proprietary methods.

Extensions are already in jar files. There's an established method for signing jar files. Problem solved, no?

As far as the PKI goes, well, if is going to be the authority, they'll have to do the actual signing. They already act as a gatekeeper, however, so this is just an augmentation of their existing procedures.

Posted by: antibozo | May 30, 2007 12:33 PM | Report abuse

DC> Everytime I remove it from my computer it says it will complete removal upon restart, but never does.

Try quitting Firefox, locating the directory in your Mozilla profile directory that contains the Google toolbar extension, and moving this directory elsewhere.

Posted by: antibozo | May 30, 2007 12:38 PM | Report abuse

Okay, so I've been using Firefox thinking it's a much safer alternative to IE. Is that still the case? If I'm accessing sensitive information, such as online banking, which browser is safest? Are there steps I can take with Firefox in the mean-time (remove add-ons?) and if so, how do I do it? Please help!

Posted by: KS | May 30, 2007 12:41 PM | Report abuse

You'll save yourself hundreds of dollars in grief by just getting a Mac and not have to worry about whether these add-ons and other evil things will destroy your computer. I finally caved and bought an iMac - yeah, it was more expensive - but I figure the ridiculous experience I had with a Windows XP laptop and a desktop PC I bought a few years back justified the extra $300 I spent. My time is too precious to spend it de-bugging and troubleshooting evil malware on a machine.

Posted by: PU | May 30, 2007 1:03 PM | Report abuse

>>Now we have problems w/Firefox...where's a guy to go???

Evidently, one should minimize the number of Firefox add-ons running, and also disable their auto-updating. (I long ago disabled Firefox's checking for all updates.)

Posted by: Mark Odell | May 30, 2007 1:11 PM | Report abuse

Mark Odell> also disable their auto-updating

If you think that the threat of a MITM attack against the update process is greater than the threat of a vulnerability in one of your extensions being exploited, then disabling auto-updates for Firefox and extensions makes sense.

I don't agree with that part of the assessment, personally, at least for most people. There's a lot of code in extensions, and DNS-based MITM attacks remain relatively rare. Of course there are numerous reasons one shouldn't perform any system maintenance while connected to an untrusted wireless access point. I recommend all system maintenance be conducted over a wired connection. But for someone who is minimalist about installing extensions and who follows a regular manual update regimen, while keeping an eye on published vulnerabilities, disabling auto-updates might be okay.

Posted by: antibozo | May 30, 2007 1:35 PM | Report abuse

One reason I bought a Mac (Macbook with Core Duo) was the permissions issue with Windows -- Microsoft is just too free with letting anyone install software on your computer.

But while Mac will prompt you for permission to load software, how do you know the software that's loading is legitimate?

It's safer, but there's still a big problem with trusting these Add-Ons.

Posted by: chrisviking | May 30, 2007 1:39 PM | Report abuse

In Firefox/Tools/Options/Advanced/Update, does unchecking the boxes for "Installed Extensions" and "Search Engines" and selecting the button for "Ask me what to do" provide any safety from this vulnerability?

Posted by: Doug Johnson | May 30, 2007 1:44 PM | Report abuse

Good point on the .jar signing mechanism. I'm not intimately familiar with that mechanism, but isn't the problem basically that most small publishers sign either with nothing or with a self-generated cert? From what I've seen, this occurs because a) it's hard to actually get the whole certifying authority thing straight when you're just an individual developer, and b) the certs are pretty expensive. Has .jar signing solved this in some way I don't know about?

Posted by: Eric E | May 30, 2007 2:12 PM | Report abuse

I'm the product manager for the extensions, and I just wanted to say that our new 1.5 extension was never vulnerable to this attack, and we patched the older 1.2 release as soon as we heard about the issue at the beginning of May. Current 1.2 users should have received notification when launching Firefox and will get the signed version of the extension when accepting the update. Also, as of early May, all official extensions are hosted on and are properly signed and served over SSL.


Posted by: Nick Nguyen | May 30, 2007 3:30 PM | Report abuse

Doug Johnson> In Firefox/Tools/Options/Advanced/Update, does unchecking the boxes for "Installed Extensions" and "Search Engines" and selecting the button for "Ask me what to do" provide any safety from this vulnerability?

I would leave the checkboxes checked, but select the "Ask me what to do" radio. At least then you will know when legitimate updates are available. If you want more confidence as to their veracity, check that the new version matches on, and check multiple times over a couple of days before you commit the upgrade.

Posted by: antibozo | May 30, 2007 5:15 PM | Report abuse

Eric E, re jar signing, no there's no magic--just an embedded signature file in a defined path in the jar file. Here are two offhand scenarios with manageable cost:

1. signs everything. This obviates the distribution path issue; developers need to get new versions signed by mozilla, but the updates can then be distributed from anywhere.

2. Each extension provides a self-signed certificate and a self-update method that checks the downloaded update using the embedded certificate from the previous install. The trick here would be rollover of certificates if someone skipped an intermediate update but I suspect a workable strategy is possible.

I'd lean toward 1 just because I can imagine some add-on developers not being able to figure out 2.

Anyway, further discussion is warranted, and I'm sure a lot of it's happened already in other venues. But look at how things like Java WebStart handle code signing for reference.

Posted by: antibozo | May 30, 2007 9:19 PM | Report abuse

speaking of Firefox - I'm a Mac user, and I just noticed some malware which took over my Firefox browser - something called ""

Does anybody have any idea about what's happening? A quick search suggests this is more of a Windows problem, but I'm alarmed to see that Firefox has these vulnerabilities, and I was wondering if I managed to catch a Mac virus.

Posted by: mac user | May 31, 2007 5:04 AM | Report abuse

I'm a Mac user who also runs Firefox, and I just noticed a new malware pop-up ""

I did a quick search and it looks like this is more of a Windows problem, but considering this news about Firefox, I was wondering - have I managed to catch a Mac virus?

Posted by: mac user | May 31, 2007 5:09 AM | Report abuse

So, don't add the extensions. Is there anything you can't do without the add-ons? Shouldn't your security system/anti-malware programs block anything unusual? Sacrifice speed for safety.

Posted by: buzzvader | May 31, 2007 9:02 AM | Report abuse

If you can hijack a hot spot and manipulate DNS, you can vector a lot more attacks than this.

Posted by: DBH | May 31, 2007 10:13 AM | Report abuse

"This is the sort of folkloric knowledge we just assumed everyone who is trying to do this would know,"

It's this sort of bad attitude by security experts that prevents the general development community from adopting secure practices.

Do NOT assume that everyone knows what the right thing to do is.

Its difficult enough to educate developers in a single organization where you can have consistent education efforts, but to ASSUME that every plug-in creator/hobbyist knows all the best security practices is a recipe for disaster.


Posted by: DA | May 31, 2007 3:10 PM | Report abuse

The Google Toolbar is not bundled with Firefox. At least not with any setup you download from Mozilla.


Posted by: Anonymous | May 31, 2007 5:07 PM | Report abuse

MitmWatcher> Thanks for the info on ffsniffer. It should still work. And it should still work on all platforms with just a few tweaks. The only weakness is the email account - you usually need a password, and even if you don't the email address sits there plain as day. They have awfully tight
perms on those folders (directories) and files.

mac user> I don't think you have anything to fear with infecting a Mac, but they also do browser exploits. But more to the point, every blocking hosts file out there blocks them (ergo, put a blocking hosts file on your Mac):

The second has a Pseudo Web Server (phttpd), but no Mac owner will volunteer to provide for an automatic launchd startup so you will have to do a sudo nohup ./phttpd & every time you log in. Approximately 25% of the entries in those files are JavaScript, Java, or other web browser exploits which have no respect for any OS (works on all of them).

Brian> Thanks for the heads up. They can't ignore it any more. I am especially unhappy about the PhishTank and Netcraft problems (no I don't have them - but they are supposed to help people). I think people that use Firefox should adopt the motto that "less is more" (less extensions is more secure).

All> Sorry, but Netscape isn't just a little bit better. For the vast majority of people it is a much safer browser than all the rest. It is just that all those wonderful plugins that are available for Firefox that you think you need (and unfortunately IE provided some whether you want them or not) aren't usually available for Netscape. Do you really need all of the plugins you have? But even worse, do you really need your browser to keep all of the information forever? I advise you to toss everything when the browser closes.

Posted by: hhhobbit | June 2, 2007 9:56 AM | Report abuse

>>>>If you can hijack a hot spot and manipulate DNS, you can vector a lot more attacks than this.
Posted by: DBH<<<<

When you use an open hotspot, or any foreign network actually, it is a very good idea to manually configure your computer (in the TCP/IP properties page) to use trusted third-party DNS servers, like those at, instead of those assigned by the foreign network. These are their free, open DNS servers:


For more complete security, also use a proxy server with SSL.

Posted by: HoD | June 2, 2007 12:46 PM | Report abuse

Well, like everything else, the more plumbing you add to the program, the easier it will be to clog it.
I use FF. I have set as my homepage, (it loads VERY fast), I also primarily use gmail so I do not have to have anything else open. FF has a google search bar built into it, so I guess I do not see the need to download an add on for it.
I try and teach this time and time again, and I will try to teach it here:
Use the K.I.S.S. principle.
Keep It Simple and Stupid
You do not need all of the toolbar add-ons. Do not be a "lazy" surfer.

Posted by: PapaSmurf | June 4, 2007 11:05 PM | Report abuse

To late to ask this question?
I just created a limited user and found that I am like a babe in the woods on the internet.
No web site knows me, no passwords, no cookies, even no bookmarks. It would take hours to set up things so they work for me under the other logon. It may be a great thing to do a new computer. Is there anyway to overcome this problem?

Posted by: max3a | June 5, 2007 1:26 PM | Report abuse

Max3a -- Your best bet is to change your normal (admin) account over to a limited account, and continue using that. You need to have at least one administrator account on every Windows PC, so you may need to change the otherwise useless limited account you created over to an admin account before reversing what you've done. Does that make sense?

Posted by: Bk | June 5, 2007 6:11 PM | Report abuse

Posted by: Hero | June 6, 2007 1:15 AM | Report abuse

Posted by: Hero | June 6, 2007 1:15 AM | Report abuse

Posted by: Hero | June 6, 2007 1:15 AM | Report abuse

pre-pharmacy undergraduate schools

Posted by: yjtyjtr | June 9, 2007 8:50 PM | Report abuse

pre-pharmacy undergraduate schools

Posted by: yjtyjtr | June 9, 2007 8:50 PM | Report abuse

pre-pharmacy undergraduate schools

Posted by: yjtyjtr | June 9, 2007 8:50 PM | Report abuse

Cameron Diaz and former boyfriend Justin Timberlake attend the UK premiere of their film Shrek the Third...

Posted by: Lance Rincon | June 15, 2007 11:39 AM | Report abuse

Radical Islamic groups in Pakistan hold protests over the UK's knighthood to Salman Rushdie...

Posted by: Irvin Samson | June 22, 2007 5:30 PM | Report abuse

Radical Islamic groups in Pakistan hold protests over the UK's knighthood to Salman Rushdie...

Posted by: Irvin Samson | June 22, 2007 5:30 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company