This Firefox add-on forces other extensions to steal your data

Millions of Firefox users face brand new attack

Firefox extensions are exposing millions of users to a new bug capable of stealing sensitive data, it has been claimed.

An attacker can create a malicious add-on for Mozilla's web browser, which can then disguise its nature by forcing a legitimate, existing add-on, to do its dirty work for it, reports Ars Technica.

The flaw, dubbed an extension reuse vulnerability by the researchers who revealed it at the Black Hat security conference in Singapore, is able to do this because Mozilla has not isolated add-ons in its browser.

This means the bug can take advantage of vulnerabilities in other add-ons a user has enabled, and route its attacks through them instead.

These buggy add-ons include NoScript, Video DownloadHelper, FlashGot and Firebug, the researchers wrote in the paper.

The extensions send the user to malicious websites, or force them to download malware.

As quoted by Ars Technica, the researchers said: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks.

"Malicious extensions that utilise this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

However, it does rely on a user first downloading the malicious add-on, as well as having buggy extensions already enabled on their browser.

Mozilla admitted to Ars that such a bug would work in its Firefox browser, adding: "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021