Makers of some of the most popular extensions and"add-ons," for Mozilla's Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.
By design, each Firefox extension -- any of a number of free software applications that can be added to the popular open-source browser -- is hard-coded with a unique Internet address that will contact the creator's update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.
Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).
As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.
According to Chris Soghoian, the Indiana University doctoral candidate who discovered the weakness, the vulnerability exists for some of the most popular Firefox add-ons, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. Ironically, at least two of the toolbars listed here are designed to help protect users from new security threats.
The problem is especially dangerous with Google's toolbar. Firefox usually will alert users that new versions of installed add-ons are available and give users the option to decline or accept the updates. But Soghoian said Google's toolbar (which is bundled with Firefox) updates without any such prompts.
"Typically, when Firefox sees that an update for any installed extension becomes available, upon next browser restart Firefox will prompt the user 'do you wish to install the update,'" Soghoian said. "However, Google disabled this, and thus, if Firefox sees that there is an update for any google made extension, upon next restart, Firefox automatically downloads and installs the update without prompting the user."
Interestingly, this attack against any other poorly secured add-on prompts the user to take action before installing the malicious update. While most people when prompted to update their extensions probably would still click "OK," it's a noteable distinction nonetheless. See this video for an example of the same attack against a regular, unsecured add-on.
At this point, a number of security-wise readers will likely say, "So what? Hijacked or just plain old evil Wi-Fi hot spots are a known security threat." While that's certainly true, this is a new vector for exploiting that threat. What's more, the methods for hijacking the domain name system (DNS) server, which helps direct traffic on wired and wireless networks, are well-understood and easy to execute given publicly available tools.
Finally, there's something else that makes this threat even more worrisome. Security Fix has long urged Windows users to avoid running their system under the all-powerful "administrator" account for every day use. Instead, users are urged to set up "limited user" accounts that make it far more difficult for malicious software to be silently installed on their PCs. That's because limited user accounts generally do not have permission to install new software or modify key system settings.
But this attack against ill-secured, third-party Firefox add-ons would succeed regardless of which type of account the Windows user is using. That's because Firefox extensions are designed to install and update whether or not the underlying user account has permissions to install software.
Soghoian has published the responses (or lack thereof) that he received from each of the above-named extension makers. Most have not fixed the problem on their end. Google said it planned to have the vulnerability corrected by today's date, but over the weekend the company asked Soghoian to delay publishing his findings for a few days more while the company worked on a solution. Soghoian declined that request, saying he didn't think it was appropriate for Google to ask for a delay after ignoring his e-mails for 30 days.
UPDATE, 1:35 p.m. ET: Google got back to Security Fix today about the Firefox vulnerability. Here's what the company had to say: "We were notified of a potential vulnerability in some updates for Firefox extensions. A fix was developed for the Google extensions and users will be automatically updated with the patch shortly. We have received no reports that this vulnerability was exploited."
Dan Veditz, a member of Mozilla's security team, said the company's add-on documentation originally did not advise third-party developers to host updates on secured servers, although the group has modified the documentation to include that recommendation after being contacted by Soghoian.
"This is the sort of folkloric knowledge we just assumed everyone who is trying to do this would know," Veditz said. "It's a basic security concept, that if you're going to update your software from somewhere, do it over a secured channel."
Veditz added that Mozilla is seriously considering blocking all unsecured add-on updates in Firefox 3, the next version of browser, currently slated for release toward the end of the year.