Re: Evil side of Firefox extensions

---

• From: Michael Ekstrand <lists@xxxxxxxxxxx>
• Date: Wed, 1 Mar 2006 16:54:39 -0600

---

On Wed, 01 Mar 2006 21:12:28 +0100
"azurIt" <azurit@xxxxxxxx> wrote:

I was primary talking about the internet clubs. FFsniFF was tested on
_one_ computer in local internet club: About 30 sniffed accounts
(mostly mail and chat accounts) in two days.
There are also another ways how extensions can be installed into your
browser. For example by a some kind of viruses.

The only thing which I wanted to say is that there should be a way
how to disallow installation of extensions by anyone.

A few solutions here, without modifying firefox:

First, some kinda of disk-clean-on-reboot thing, and reboot regularly
(if not every time someone's done using the machine). Practical in some
places (university computer labs), not in others (might cause problems
in a club).

A practical revision of that: have the Firefox launch icon launch
Firefox from a freshly-copied, pristine profile. Every time Firefox
closes, the profile gets wiped and reinstated on its next run. This can
be done securely - the profile could even reside in a PGP-signed ZIP
file that gets unpacked on app launch. Or, on certain *Nix systems
(esp. OpenBSD), a clever use of auto-erased union mounts could do the
trick.

Second idea: more fine-grained locking of the permissions on the
Firefox profile directories. Deny the kiosk user permission to write to
the extensions directory in the firefox profile, but let them write to
the cache, etc. The fresh-profile solution is probably better though.

It may be useful for Firefox to have a "kiosk" mode where extensions,
preferences, etc. are locked; however, a lot of this can be achieved
with a fresh profile each startup.

- Michael

--
mouse, n: a device for pointing at the xterm in which you want to type.
-- Fortune

---

• References:
  • Re: Evil side of Firefox extensions
    • From: azurIt

• Prev by Date: Re: WordPress 2.0.1 Multiple Vulnerabilities
• Next by Date: Advisory: ICQmail.com & Mail2World.com (ms_inbox.asp Current_folder) XSS vulnerability
• Previous by thread: Re: Evil side of Firefox extensions
• Next by thread: RE: Evil side of Firefox extensions
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Firefox - Its driving me nuts!!! ... Thanks for the info - what does a new reinstall entail and why would that be ... I don't know what a profile is or extensions? ... >>I switched over to firefox from IE because IE was so slow no matter what I ... (microsoft.public.windowsxp.perform_maintain) Things Ive learned about Firefox ( was "Firefox broken") ... > Firefox comes up, but is completely unresponsive. ... > of the extensions is bad or incompatible with another. ... profile to use. ... and there selected the install link. ... (Debian-User) Re: Share firefox profile in windows and freebsd! ... > if there is no extensions in the profile directory,it works ... > When I setup extensions in windows xp,firefox can't start in ... I have got a solution:setup the extensions to the firefox ... (comp.unix.bsd.freebsd.misc) Re: Firefox broken ... > Firefox comes up, but is completely unresponsive. ... > of the extensions is bad or incompatible with another. ... Perhaps the best solution is to create a new profile and retrieve ... typing characters in forms, ... (Debian-User) Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions ... I attached Google Toolbar PoC. ... it will work every time you launch Firefox. ... high profile Firefox extensions. ... The nature of the vulnerability described in this report is technical, ... (Full-Disclosure)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)