This Firefox add-on forces other extensions to steal your data

Millions of Firefox users face brand new attack

Firefox extensions are exposing millions of users to a new bug capable of stealing sensitive data, it has been claimed.

An attacker can create a malicious add-on for Mozilla's web browser, which can then disguise its nature by forcing a legitimate, existing add-on, to do its dirty work for it, reports Ars Technica.

The flaw, dubbed an extension reuse vulnerability by the researchers who revealed it at the Black Hat security conference in Singapore, is able to do this because Mozilla has not isolated add-ons in its browser.

This means the bug can take advantage of vulnerabilities in other add-ons a user has enabled, and route its attacks through them instead.

Advertisement
Advertisement - Article continues below

These buggy add-ons include NoScript, Video DownloadHelper, FlashGot and Firebug, the researchers wrote in the paper.

The extensions send the user to malicious websites, or force them to download malware.

As quoted by Ars Technica, the researchers said: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks.

"Malicious extensions that utilise this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

However, it does rely on a user first downloading the malicious add-on, as well as having buggy extensions already enabled on their browser.

Mozilla admitted to Ars that such a bug would work in its Firefox browser, adding: "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/28014/how-to-enable-private-browsing
web browser

How to enable private browsing on any browser

25 Jun 2019
Visit/web-browsers/24796/which-is-the-best-browser-chrome-vs-firefox-vs-microsoft-edge
web browser

Google Chrome vs Firefox vs Microsoft Edge

30 Apr 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019