Security Experts:

Popular Firefox Add-ons Expose Users to New Attack

A group of researchers from Northeastern University have detailed a new method that allows malicious actors to launch stealthy attacks by leveraging the lack of isolation between Firefox add-ons.

While they offer many benefits, web browser extensions have been increasingly used by threat actors to carry out their malicious activities. The numerous security alerts published over the past years have clearly shown the threat posed by individual malicious add-ons, but researchers have now demonstrated that the interaction between multiple add-ons can also be problematic from a security perspective.

Experts pointed out that the way Firefox’s extension architecture is designed allows JavaScript extensions to interact with other similar components on the system through a shared JavaScript namespace. This introduces a class of security holes, dubbed by researchers “extension-reuse vulnerabilities,” that can be exploited by an apparently harmless add-on created by attackers to reuse functionality provided by a legitimate add-on.

If they were to make direct calls to security-critical APIs, malicious extensions would be easily identified by Mozilla. However, by leveraging an extension-reuse vulnerability, a malicious add-on can indirectly invoke these APIs through legitimate extensions, allowing threat actors to launch stealthy attacks. The attack method was detailed last week at the Black Hat Asia security conference.

According to researchers, the use of this method makes it significantly more difficult to detect malicious extensions and increases their chances of passing Mozilla’s verification process.

Experts have created a tool called CrossFire, which they’ve used to analyze the ten most popular Firefox add-ons in an effort to determine if they are vulnerable to extension-reuse attacks.

CrossFire analysis revealed that top add-ons such as Video DownloadHelper, Firebug, NoScript, DownThemAll!, Greasemonkey, Web of Trust, Flash Video Downloader, FlashGot Mass Downloader, and Download YouTube Videos can be leveraged for code execution, file and network access, cookie store access, and modifying preferences. Adblock Plus was the only top 10 Firefox add-on not vulnerable to attacks.

Worryingly, such vulnerabilities can be easily identified, even manually. Tests conducted by researchers showed that a single human analyst could produce an exploit in under 10 minutes.

Researchers noted that while attackers could combine multiple extension-reuse vulnerabilities for sophisticated attacks, a single flaw is often enough to cause damage. For instance, the method can be used to redirect users to a phishing website when they visit a certain URL, or automatically load a web page containing an exploit.

Mozilla says it’s aware of the issue and it has already taken steps to address it.

“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed,” Nick Nguyen, VP of Product at Firefox, told SecurityWeek.

“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative - our project to introduce multi-process architecture to Firefox later this year - we will start to sandbox Firefox extensions so that they cannot share code,” Nguyen added.

Related: Researcher Rewarded for XSS in Mozilla Add-ons Site

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.