Extensions for Firefox are not isolated: an add-on written specifically could exploit the vulnerabilities of other extensions to conduct attacks with high probability of success.
NoScript, Firebug and other popular Firefox extensions can empower end users at risk of a new type of attack that allows the execution of malicious code and the stealthy theft of sensitive data. Researchers Ahmet Buyukkayhan and William Robertson Safety presented the problem at the Black Hat Asia, held from 20 March to 1 April ago in Singapore.
It is a connection made possible by the fact that Firefox, unlike other browsers, does not draw any measure of insulation between the different extensions that you install. This ” vulnerability ” reuse allows a malicious add-on to hide his behavior relying on other extensions functionality. Instead, for example, to bring the system into visiting a fraudulent website or to download malicious files, the add-on goes to exploit vulnerabilities in third-party extensions that can allow execution of its shares.
” This vulnerability allow an extension to be apparently harmless to reuse dangerous security features present in other legitimate extensions, in order to launch attacks in a stealthy confused. Harmful extensions that make use of this technique would be much more difficult to detect through the current methods of analysis ” explain the authors of the research, detailed in this document.
Among the 10 most popular extensions officially approved by Mozilla and made available on the official website, only AdBlock Plus does not have any flaw that can be exploited by an add-on that is based on the reuse of technical vulnerabilities. Besides the above-mentioned NoScript and Firebug, also Video DownloadHelper, Greasemonkey and FlashGot Mass Down showed easily reusable vulnerability from a possible extension made especially for this purpose, which can lead to the removal of the browser cookies, and access to the file system check or opening web pages chosen by an attacker.
” We observed that while it is possible to combine the vulnerability of various extensions to process complex attacks, often employ just a single vulnerability to launch dangerous attacks with a high probability of success, making this type of rather serious threat even in the presence of a small number of extensions ” researchers observed.
Researchers have developed an extension for FireFox very simple, in order to achieve a proof-of-concept. The extension, by ValidateThisWebsite name, aims to analyze the HTML code of a web site to determine if it meets current standards. Behind the scenes, this extension performs a cross-extension called NoScript that due to the opening in FireFox a web address chosen by the researchers. As noted it is the result of lack of insulation between the FireFox extensions.
Mozilla has acknowledged the problem and has said it is working on a complete rewrite of the way it manages and uses the FireFox extensions, so as to use sandboxing measures that avoid sharing code. Especially Nick Nguyen, vice president Product FireFox Mozilla, commented:
” The way add-ons are Implemented in Firefox today Allows for the hypothesized scene and presented at Black Hat Asia. The method described relies on a popular add-on That is vulnerable to be installed, and then for the add-on. That takes advantage of that vulnerability. Also to be installed. Because risks such as this one exist, we are evolving Both our core product and our platform extensions to build in greater security. The new set of browser extension APIs That make up WebExtensions, Which are available in Firefox today, blackberries are inherently secure than traditional add-ons, and are not vulnerable to the attack Particular outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions, I know that they cannot share code. “
The researchers suggest that, pending the public availability of the new architectures for extensions, the amendment of the review process of the add-on so that you can identify more accurately the possible harmful extensions and cross vulnerability.