Top Firefox extensions can hide silent malware using easy pre-fab tool

The fix? No patch, just destroy all extensions.


Black Hat Asia The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests.

The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality.

Professor William Robertson left PhD Ahmet Buyukkayhan

Professor William Robertson (left) AND PhD Ahmet Buyukkayhan

For example, attackers could duplicate a popular but vulnerable extension to reuse attacks and write their own machine-pwning functionalities.

The researchers explained that extensions run with elevated privileges and access to information, so a malicious extension could steal private browsing data, passwords, and sensitive system resources.

The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users, Video DownloadHelper with 6.5 million users, and GreaseMonkey with 1.5 million users. Adblock Plus with its 22 million users was unaffected.

Extension-reuse extensions permitted code execution vulnerabilities, event listener registration, and network access among other opportunities for attackers.

Northeastern University PhD candidate Ahmet Buyukkayhan and Northeastern University Professor William Robertson presented the attacks at the Black Hat Asia hacking event in Singapore, releasing a framework dubbed Crossfire they used to identify extensions open to extension reuse vulnerabilities.

“We a have a lot of trust placed in browser vendors … but if you think about it, really squint your eyes, the extension framework really is a backdoor for potentially untrusted third parties to run code in a highly-privileged context,” Robertson says.

“We really shouldn't have trust in the extension authors.

“The combination of automated analysis, manual review, and extension-signing – the vetting model that underpins all of Firefox's extension security – if something goes wrong, then all bets are off.”

And things did go wrong. The pair were able to upload a malicious, but ultimately harmless proof-of-concept, extension to the Firefox extension shop even passing a requested more intensive 'fully reviewed' analysis. The extension dubbed ValidateThisWebsite contained 50 lines of code and no obfuscation.

“The more power vulnerable extensions have, the easier it is for an evil extension to work,” Buyukkayhan says.

“The full review is the highest level of security Mozilla has.”

The proof-of-concept feat was done with Crossfire which also sports a template function that make extension-reuse exploit development much faster.

That framework was supplied to Mozilla as part of a thorough research briefing at the end of which Firefox security wonks have committed to extra vigilance in extension review.

The disclosure of the new attack vectors, the product of an impressive two years' research, come five months ahead of Mozilla's pivot to model its extensions off the more secure Google Chrome model. Developers will still have 18 months from August to migrate to the WebExtensions hardened isolated model before the vulnerable legacy apps are nuked.

Mozilla already maintains a list of malicious extensions which sports 161 blacklisted items, a number that is likely to grow if attackers exploit the new extension-reuse model.

Firefox product man Nick Nguyen says the new WebExtensions are unaffected.

"The way add-ons are implemented in Firefox today allows for the scenario hypothesised and presented at Black Hat Asia, " Nguyen says.

"The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

"Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security.

The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Firefox will later this year under its Electrolysis initiative introduce multi-process architecture to Firefox and sandbox extensions so that they cannot share code. ®

Similar topics


Other stories you might like

  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading

Biting the hand that feeds IT © 1998–2021