Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Firefox Extensions May Be the Harbingers of Malicious Attacks
#1
[Image: firefox-extensions-may-be-the-harbingers...2548-2.jpg]

"Extension reuse" attack leverages popular Firefox add-ons to carry out malicious actions on behalf of another add-on

Speaking at the Black Hat Asia 2016 security conference in Singapore, two US researchers have explained how well-known Firefox extensions can be used by other (malicious) extensions to carry out attacks against users, The Register reports.

Last week, Boston University Ph.D. Ahmet Buyukkayhan and Northeastern University Professor William Robertson, presented their research in front of the Black Hat Asia attendees, revealing how holes in Mozilla's add-on ecosystem can be leveraged by attackers.

Extension reuse attack hides in plain sight

For the past two years, the two researchers have been creating malicious extensions which use a so-called "extension reuse" mechanism to make malicious calls to other extensions, which then pass them along to the underlying system.

Since all calls made by an extension through Firefox are executed with elevated privileges, attackers have a broad spectrum of attack possibilities at their disposal.

Even worse, one of these malicious extensions can easily go through Mozilla's review process which all extensions must go through to be added to their add-on portal.

Attack is undetectable to Mozilla's add-on reviewers

Since the malicious extension doesn't make any dangerous calls to Firefox's most sensitive inner parts, automated and human reviewers can't pick up the malicious behavior.

Through this attack scenario, researchers managed to exploit popular Firefox add-ons to carry out malicious actions. In their tests, they used add-ons such as the highly-popular GreaseMonkey add-on (1.5 million active installs), Video DownloadHelper (6.5 million active installs), and NoScript (2.5 million active installs).

They even carried out a live experiment, submitting a harmless add-on to Mozilla that leverages the extension reuse attack scenario, even requesting a full review from Mozilla's staff.

To make things easier, their test extension, called ValidateThisWebsite, contained only 50 lines of code and was left unobfuscated for easy access to its source code. Mozilla reviewers approved the extension without any red flags.

The two researchers ended up revealing the attack to Mozilla' staff and even provided them with the source code of the Crossfire framework that will help reviewers in identifying these types of attacks.

Source
Reply
#2
Thanks for info.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests mrtrout 0 1,195 02-04-2021 , 10:57 PM
Last Post: mrtrout
  More than 200 browser extensions ejected from Firefox and Chrome stores sidemoon 0 1,214 01-31-2020 , 12:11 PM
Last Post: sidemoon
  Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix Mohammad.Poorya 0 1,523 12-10-2018 , 03:59 AM
Last Post: Mohammad.Poorya
  Facebook Messenger Spam Leads to Adware, Malicious Chrome Extensions tarekma7 0 1,978 08-25-2017 , 01:26 PM
Last Post: tarekma7
  Eight Chrome Extensions Hijacked to Deliver Malicious Code tregs_beales 0 2,071 08-16-2017 , 10:44 AM
Last Post: tregs_beales

Forum Jump:


Users browsing this thread: 1 Guest(s)