Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Popular Firefox Add-ons Expose Users to New Attack

A group of researchers from Northeastern University have detailed a new method that allows malicious actors to launch stealthy attacks by leveraging the lack of isolation between Firefox add-ons.

A group of researchers from Northeastern University have detailed a new method that allows malicious actors to launch stealthy attacks by leveraging the lack of isolation between Firefox add-ons.

While they offer many benefits, web browser extensions have been increasingly used by threat actors to carry out their malicious activities. The numerous security alerts published over the past years have clearly shown the threat posed by individual malicious add-ons, but researchers have now demonstrated that the interaction between multiple add-ons can also be problematic from a security perspective.

Experts pointed out that the way Firefox’s extension architecture is designed allows JavaScript extensions to interact with other similar components on the system through a shared JavaScript namespace. This introduces a class of security holes, dubbed by researchers “extension-reuse vulnerabilities,” that can be exploited by an apparently harmless add-on created by attackers to reuse functionality provided by a legitimate add-on.

If they were to make direct calls to security-critical APIs, malicious extensions would be easily identified by Mozilla. However, by leveraging an extension-reuse vulnerability, a malicious add-on can indirectly invoke these APIs through legitimate extensions, allowing threat actors to launch stealthy attacks. The attack method was detailed last week at the Black Hat Asia security conference.

According to researchers, the use of this method makes it significantly more difficult to detect malicious extensions and increases their chances of passing Mozilla’s verification process.

Experts have created a tool called CrossFire, which they’ve used to analyze the ten most popular Firefox add-ons in an effort to determine if they are vulnerable to extension-reuse attacks.

CrossFire analysis revealed that top add-ons such as Video DownloadHelper, Firebug, NoScript, DownThemAll!, Greasemonkey, Web of Trust, Flash Video Downloader, FlashGot Mass Downloader, and Download YouTube Videos can be leveraged for code execution, file and network access, cookie store access, and modifying preferences. Adblock Plus was the only top 10 Firefox add-on not vulnerable to attacks.

Advertisement. Scroll to continue reading.

Worryingly, such vulnerabilities can be easily identified, even manually. Tests conducted by researchers showed that a single human analyst could produce an exploit in under 10 minutes.

Researchers noted that while attackers could combine multiple extension-reuse vulnerabilities for sophisticated attacks, a single flaw is often enough to cause damage. For instance, the method can be used to redirect users to a phishing website when they visit a certain URL, or automatically load a web page containing an exploit.

Mozilla says it’s aware of the issue and it has already taken steps to address it.

“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed,” Nick Nguyen, VP of Product at Firefox, told SecurityWeek.

“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions so that they cannot share code,” Nguyen added.

Related: Researcher Rewarded for XSS in Mozilla Add-ons Site

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.