Evil side of Firefox extensions



Background
----------
Firefox is very popular and secure web browser. Until now, it is used by
milions of people and thousands of internet clubs. One of the great features of
Firefox are extensions. You can use them to create things inside your browser
which are beyond your imagination. But everything has an other side..

Overview
--------
Writting a powerfull extension is extremely simple process. Extensions are
allowed to do _everything_ with your browser: They can change the skin, block
banners on pages or even create network connection and send data through it to
the internet. The worst of all is that _anyone_, who has physical access to
your computer, can install extensions into your browser _without_ your
notification.

As an example, I created a simple html form sniffer. You can download it here:
http://azurit.gigahosting.cz/ffsniff/

It was tested only with Firefox 1.0.x and 1.5.x .

FFsniFF is a simple Firefox extension, which transforms your browser into the
html form sniffer. Everytime the user click on 'Submit' button, FFsniFF will try
to find a non-blank password field in the form. If it's found, entire form (also
with URL) is sent to the specified e-mail address.

Solution
--------
I think that the solution for this should be in the ability of locking the
installation of extensions with a password. Every user will be able to read hash
of the password (so the browser can verify it) and only system administrator
will be allowed to change it (it can be stored for example in registers
[Windows] or somewhere in /etc dir [Linux]).


azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk



Relevant Pages

  • Re: Evil side of Firefox extensions
    ... Firefox is very popular and secure web browser. ... Firefox are extensions. ... can install extensions into your browser _without_ your ...
    (Bugtraq)
  • People choose Firefox browser over IE for a number of reasons
    ... Globally, Firefox accounted for 12.93% of all browsers used in July, up ... The open source browser did even better in several countries, ... You can add extensions in Firefox by going to Tools => Extensions and ... of the Web page by hiding the tab bar at the press of a key. ...
    (soc.culture.iranian)
  • Re: Firefox, a techies delight
    ... Iris - a semi-convoluted Firefox plugin, ... As with Firefox extensions and plugins, ... within a greater set of functions normally associated with the browser ... tab, thereby releasing hooked links. ...
    (alt.comp.hardware.pc-homebuilt)
  • Firefox 2.0 security bug: Extensions can hide themself
    ... Firefox is very popular and secure web browser. ... One of the great features of ... Every Firefox extensions developer knows the 'hidden' property of 'install ...
    (Bugtraq)
  • Re: Evil side of Firefox extensions
    ... install an extension from an untrusted source then you can expect horrible ... There are also another ways how extensions can be installed into your browser. ... I created a simple html form sniffer. ...
    (Bugtraq)