Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Firefox, Tor Browser Vulnerable to Malicious Add-on Attacks

A vulnerability related to certificate pinning allows sophisticated threat actors to compromise the systems of Tor Browser and Firefox users via man-in-the-middle (MitM) attacks and malicious add-ons.

A vulnerability related to certificate pinning allows sophisticated threat actors to compromise the systems of Tor Browser and Firefox users via man-in-the-middle (MitM) attacks and malicious add-ons.

Firefox automatically updates installed add-ons over an HTTPS connection. In order to prevent MitM attacks that leverage misissued certificates, Mozilla also uses a form of certificate pinning.

The problem is that Mozilla does not use the typical HTTP Public Key Pinning (HPKP) and a flaw in its own process has led to pinning for add-on updates becoming ineffective since the launch of Firefox 48 on September 10 and Firefox ESR 45.3.0 on September 3.

Since certificate pinning is not efficient, an MitM attacker who can obtain a certificate for addons.mozilla.org by hacking or tricking a certificate authority (CA) can replace legitimate updates sent to Firefox users with rogue versions. This can lead to arbitrary code execution on the targeted system with no user interaction.

The vulnerability also affects the Tor Browser, which is based on Firefox. The Tor Browser is particularly susceptible considering that, unlike Firefox, which might not have any add-ons installed, it comes with the HTTPS Everywhere and NoScript add-ons preinstalled.

The issue was first brought to light by a researcher who uses the online moniker “movrcx” on September 13. The expert warned that a sophisticated threat actor, such as a nation state or a criminal organization, could leverage a certificate pinning issue to launch mass attacks against Tor users. Movrcx estimated that launching these types of mass attacks would cost an attacker roughly $100,000.

The theoretical attack scenario described by Movrcx was initially “mocked as non-credible” by representatives of the Tor Project. However, a few days after Movrcx’s disclosure, researcher Ryan Duff confirmed that the attack worked against both Firefox and the Tor Browser, and detailed the root cause of the issue.

The Tor Project has already addressed the vulnerability on Friday with the release of Tor Browser 6.0.5. Mozilla has promised to patch the flaw on Tuesday, September 20, with a Firefox security update.

“We are not presently aware of any evidence that such malicious certificates exist in the wild and obtaining one would require hacking or compelling a Certificate Authority. However, this might still be a concern for Tor users who are trying to stay safe from state-sponsored attacks,” explained Selena Deckelmann, senior manager of security engineering at Mozilla.

Related Reading: Mozilla Re-Enables Support for SHA-1 in Firefox

Related Reading: Firefox Blocks Flash Content to Improve Security

Related Reading: Firefox Adds Improved Download Protection

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...