This Firefox add-on forces other extensions to steal your data

Millions of Firefox users face brand new attack

Firefox extensions are exposing millions of users to a new bug capable of stealing sensitive data, it has been claimed.

An attacker can create a malicious add-on for Mozilla's web browser, which can then disguise its nature by forcing a legitimate, existing add-on, to do its dirty work for it, reports Ars Technica.

The flaw, dubbed an extension reuse vulnerability by the researchers who revealed it at the Black Hat security conference in Singapore, is able to do this because Mozilla has not isolated add-ons in its browser.

This means the bug can take advantage of vulnerabilities in other add-ons a user has enabled, and route its attacks through them instead.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

These buggy add-ons include NoScript, Video DownloadHelper, FlashGot and Firebug, the researchers wrote in the paper.

The extensions send the user to malicious websites, or force them to download malware.

As quoted by Ars Technica, the researchers said: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks.

"Malicious extensions that utilise this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

However, it does rely on a user first downloading the malicious add-on, as well as having buggy extensions already enabled on their browser.

Mozilla admitted to Ars that such a bug would work in its Firefox browser, adding: "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/network-internet/virtual-private-network-vpn/354805/mozilla-is-beta-testing-its-paid-for-firefox
virtual private network (VPN)

Mozilla is beta testing its paid-for Firefox VPN service

19 Feb 2020
Visit/security/28014/how-to-enable-private-browsing
web browser

How to enable private browsing on any browser

25 Jun 2019
Visit/web-browsers/24796/which-is-the-best-browser-chrome-vs-firefox-vs-microsoft-edge
web browser

Google Chrome vs Firefox vs Microsoft Edge

30 Apr 2019

Most Popular

Visit/operating-systems/microsoft-windows/354789/microsoft-pulls-disastrous-windows-10-security-update
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020