Browser extensions, or add-ons, typically provide extra functionality,
beyond that which the browser provides, but that comes with a price:
increased vulnerability potential. The recent disclosure of five separate
vulnerabilities in Firefox extensions serves as a reminder that extensions
occupy a privileged position within the browser. That position makes flaws
in extensions particularly dangerous, as they generally will allow an
attacker's code to run with all the privileges of the user running the
The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi
Liverani of Security-Assessment.com, a New
Zealand-based web and network security firm. In doing research for a DEFCON
presentation [PDF], they found flaws in the following Firefox extensions:
Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between
February and June of this year, and the presentation lists three more that
have yet to be disclosed.
All five of the flaws have something in common: in one way or another, they
take content from a remote site and handle it incorrectly within the
privileged Mozilla "chrome" context. For example, the Feed Sidebar
extension incorrectly handles the RSS <description> tags, such that a
malicious site could do cross-site scripting (XSS) or HTML injection into the
chrome trusted zone. That would allow the remote site to potentially
perform any action the browser could: access the filesystem, retrieve web
site passwords, execute programs, and so on.
The presentation has several proof-of-concept examples; the one associated
with Feed Sidebar
steals all of the login credentials and sends them off to a remote site.
Another example using the ScribeFire extension sets up a reverse VNC
session so that an attacker could view the desktop of the browser user.
Yet another uses XSS to send a copy of /etc/passwd off to a remote
site. These are all very potent exploits that could be used to seriously
compromise users' privacy and security.
There are certainly more of these problems out there (beyond even the
three undisclosed, thus presumably unpatched, vulnerabilities). Part of
the problem is that the "Mozilla extension security model is
nonexistent", according to Freeman and Liverani's presentation. All
extensions are treated as completely trusted code by Firefox. In addition,
there are no security boundaries between the extensions, so one can quietly
modify another. They also note that other Mozilla applications that allow
extensions (e.g. Thunderbird) are also susceptible to these kinds of
Many Firefox extensions are available through addons.mozilla.org (AMO),
but the researchers point out that extension developers, and the AMO reviewers,
are not necessarily security experts, so bugs like these may slip through.
They also note that the NoScript
extension, with its XSS protection, may be giving a false sense of
security. NoScript whitelists chrome: URLs, which means that it
provides no protection against malicious or buggy extensions.
In many ways, it should come as no surprise that there are bugs—and
security holes—in Firefox extensions, but it is a problem that has
largely flown under the radar. Malicious extensions, downloaded from sites
other than AMO,
are a fairly well-understood vector for attack—at least to users who
are somewhat security-conscious. Extensions that have, or appear to have,
the "blessing" of AMO are a bit of a different story. Many users, even
those who pay attention to security issues, may well expect that those
extensions are rigorously vetted, which seems not to be the case.
There is no reason to believe that these vulnerabilities were
anything other than "standard" programming errors, but those with a
malicious intent probably could sneak
vulnerabilities into AMO extensions—perhaps they have already
done so. The presentation lists two plausible scenarios for how malware
authors might get vulnerabilities introduced into extensions, particularly
popular or recommended extensions.
This research gives us yet another
attack vector to be worried about, but there is also some useful information
on what to look for in extensions that could lead to these kinds of flaws.
With luck, that will help reduce the number of extensions with holes. That
still leaves us with the worry about malicious extension authors.
Without a more rigorous review of extensions—even that won't find
every flaw—there is little that can be done. It is a problem that
will likely be with us for quite some time.
to post comments)