Hackers can hijack PCs using Firefox add-ons

Computerworld -

Hackers can drop malicious code into systems running Mozilla Corp.'s Firefox when the browser is armed with any of several high-profile add-ons, including Google Toolbar and Yahoo Toolbar, a researcher revealed today. Mozilla has acknowledged the risk posed by some extensions.

Christopher Soghoian, a Ph.D. student at Indiana University, outlined how "man in the middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.

The bulk of Firefox extensions -- small plug-ins that add features or functionality and that are almost universally created by volunteer developers or hobbyists -- are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack, Soghoian said. A number of broadly used third-party extensions, however, update from their own unsecured servers.

"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."

Mozilla revised the documentation for crafting and maintaining Firefox extensions after being contacted by Soghoian to post a prominent warning that urges developers to host updates on a site using Secure Sockets Layer.

Public wireless access points, like those at airports and coffee shops, would be the most likely scene of an attack, because hackers can use them with relative ease to mimic a legitimate update server with a laptop. But Soghoian warned that other locales would be just as dangerous.

"Any network where you're not running the show puts you at risk," he said. "If you're using your neighbor's wireless, for example." Users of the Tor anonymity network would also be vulnerable, Soghoian added. "There you're trusting your DSN to someone you don't know."

He listed Google Toolbar, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker among the at-risk add-ons, but he couldn't come up with an exhaustive catalog. "I didn't have time to test every extension," Soghoian said, "so I went to Download.com and looked at the top 20."

Ironically, some, such as Netcraft's, are designed to protect users against threats. "Users think 'I'm gonna make myself safer' by installing this extension, but they end up putting themselves at risk."

One vulnerable extension -- the eBay-created, Mozilla-sanctioned add-on for French, German and British online auction users -- was shifted to a secure server within days, Soghoian said.

Other vendors contacted by Soghoian, however, were less responsive.