Mozilla enjoys a large development community to build add-ons for its Firefox browser. Now it seems all that development might not be a good thing. A security researcher in Indiana has found that the process used to update some of these add-ons automatically appears to be flawed, allowing criminal hackers to intercept the browser's call to the developer to see if there's a new version available. Worse, the most vulnerable add-ons aren't from vendors you've never heard of; they include brand-name sites like Google, Yahoo, Facebook, and LinkedIn.
Extensions for Firefox contain hard-coded Internet addresses for updates. Mozilla provides free hosting for updates at addons.mozilla.org, however, many developers choose for various reasons to serve the updates themselves from servers under their control. The servers at Mozilla all use the secure https:// protocol, but since encryption requires more resources, many developers opt to use the less secure, less resource intensive http:// instead. That's where the problem lies.
Researcher Christopher Soghoian's blog describes a scenario where a wireless user in an Internet café starts up the Firefox browser. Home users who have not changed the default password on their wireless routers are also affected. Firefox routinely checks with the extension's update servers to see if there are any updates pending and generally notifies the user. Add-ons using the secure http:// protocol are not affected; a criminal could not intercept that encrypted transmission. However, add-ons using the less secure http:// protocol are open to what's called a man-in-the-middle attack where a criminal hacker can intercept the transmission and substitute a maliciously coded update instead. While Firefox prompts the user to install any updates, not all updates trigger the prompt. For example, Google Toolbar updates will install automatically.
Soghoian says, "The problem stems from design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code." He urges Firefox users to uninstall extensions not downloaded from Mozilla. Among these, Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker.
Add-ons not vulnerable to this type of attack include NoScript, Greasemonkey, and AdBlock Plus. Secure add-ons can be downloaded from the official Firefox Add-ons website.
Soghoian says he contacted Google and other developers and told Mozilla and specific about this vulnerability on April 16, 2007. Many vendors ignored him. Mozilla did work with some vendors, such as eBay, to fix the problem and has updated its developer site to include safe coding practices to guard against this attack. Abiding by the CERT vulnerability disclosure policy, Shogoian went public 45 days after notifying CERT and the vendors affected.
Soghoian is no stranger to controversy. In October, Soghoian printed his own airline tickets much to the dismay of the FAA and Department of Homeland Security. No charges were ever filed.