Top Firefox extensions can hide silent malware using easy pre-fab tool

The fix? No patch, just destroy all extensions.

Black Hat Asia The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests.

The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality.

Professor William Robertson left PhD Ahmet Buyukkayhan

Professor William Robertson (left) AND PhD Ahmet Buyukkayhan

For example, attackers could duplicate a popular but vulnerable extension to reuse attacks and write their own machine-pwning functionalities.

The researchers explained that extensions run with elevated privileges and access to information, so a malicious extension could steal private browsing data, passwords, and sensitive system resources.

The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users, Video DownloadHelper with 6.5 million users, and GreaseMonkey with 1.5 million users. Adblock Plus with its 22 million users was unaffected.

Extension-reuse extensions permitted code execution vulnerabilities, event listener registration, and network access among other opportunities for attackers.

Northeastern University PhD candidate Ahmet Buyukkayhan and Northeastern University Professor William Robertson presented the attacks at the Black Hat Asia hacking event in Singapore, releasing a framework dubbed Crossfire they used to identify extensions open to extension reuse vulnerabilities.

“We a have a lot of trust placed in browser vendors … but if you think about it, really squint your eyes, the extension framework really is a backdoor for potentially untrusted third parties to run code in a highly-privileged context,” Robertson says.

“We really shouldn't have trust in the extension authors.

“The combination of automated analysis, manual review, and extension-signing – the vetting model that underpins all of Firefox's extension security – if something goes wrong, then all bets are off.”

And things did go wrong. The pair were able to upload a malicious, but ultimately harmless proof-of-concept, extension to the Firefox extension shop even passing a requested more intensive 'fully reviewed' analysis. The extension dubbed ValidateThisWebsite contained 50 lines of code and no obfuscation.

“The more power vulnerable extensions have, the easier it is for an evil extension to work,” Buyukkayhan says.

“The full review is the highest level of security Mozilla has.”

The proof-of-concept feat was done with Crossfire which also sports a template function that make extension-reuse exploit development much faster.

That framework was supplied to Mozilla as part of a thorough research briefing at the end of which Firefox security wonks have committed to extra vigilance in extension review.

The disclosure of the new attack vectors, the product of an impressive two years' research, come five months ahead of Mozilla's pivot to model its extensions off the more secure Google Chrome model. Developers will still have 18 months from August to migrate to the WebExtensions hardened isolated model before the vulnerable legacy apps are nuked.

Mozilla already maintains a list of malicious extensions which sports 161 blacklisted items, a number that is likely to grow if attackers exploit the new extension-reuse model.

Firefox product man Nick Nguyen says the new WebExtensions are unaffected.

"The way add-ons are implemented in Firefox today allows for the scenario hypothesised and presented at Black Hat Asia, " Nguyen says.

"The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

"Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security.

The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Firefox will later this year under its Electrolysis initiative introduce multi-process architecture to Firefox and sandbox extensions so that they cannot share code. ®

Similar topics

Other stories you might like

  • The future: Windows streaming through notched Apple screens

    Choice is the word for Jamf's Dean Hager

    Interview As Apple's devices continue to find favour with enterprise users, the fortress that is Windows appears to be under attack in the corporate world.

    Speaking to The Register as the Jamf Nation User Conference wound down, the software firm's CEO, Dean Hager, is - unsurprisingly - ebullient when it comes to the prospects for Apple gear in the world of suits.

    Jamf specialises in device management and authentication, and has long been associated with managing Apple hardware in business and education environments. In recent years it has begun connecting its products with services such as Microsoft's Azure Active Directory as administrators face up to a hybrid working future.

    Continue reading
  • There’s a wave of ransomware coming down the pipeline. What can you do about it?

    AI can help. Here’s how…

    Sponsored The Colonial Pipeline attack earlier this year showed just how devastating a ransomware attack is when it is targeted at critical infrastructure.

    It also illustrated how traditional security techniques are increasingly struggling to keep pace with determined cyber attackers, whether their aim is exfiltrating data, extorting organisations, or simply causing chaos. Or, indeed an unpleasant combination of all three.

    So, what are your options? More people looking for more flaws isn’t going to be enough – there simply aren’t enough skilled people, there are too many bugs, and there are way too many attackers. So, it’s clear that smart cyber defenders need to be supplemented by even smarter technology incorporating AI. You can learn what this looks like by checking out this upcoming Regcast, “Securing Critical Infrastructure from Cyber-attack” on October 28 at 5pm.

    Continue reading
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

    Or so says infsec outfit Emsisoft

    Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

    Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

    Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

    Continue reading

Biting the hand that feeds IT © 1998–2021