04-05-2016 , 11:13 AM
"Extension reuse" attack leverages popular Firefox add-ons to carry out malicious actions on behalf of another add-on
Speaking at the Black Hat Asia 2016 security conference in Singapore, two US researchers have explained how well-known Firefox extensions can be used by other (malicious) extensions to carry out attacks against users, The Register reports.
Last week, Boston University Ph.D. Ahmet Buyukkayhan and Northeastern University Professor William Robertson, presented their research in front of the Black Hat Asia attendees, revealing how holes in Mozilla's add-on ecosystem can be leveraged by attackers.
Extension reuse attack hides in plain sight
For the past two years, the two researchers have been creating malicious extensions which use a so-called "extension reuse" mechanism to make malicious calls to other extensions, which then pass them along to the underlying system.
Since all calls made by an extension through Firefox are executed with elevated privileges, attackers have a broad spectrum of attack possibilities at their disposal.
Even worse, one of these malicious extensions can easily go through Mozilla's review process which all extensions must go through to be added to their add-on portal.
Attack is undetectable to Mozilla's add-on reviewers
Since the malicious extension doesn't make any dangerous calls to Firefox's most sensitive inner parts, automated and human reviewers can't pick up the malicious behavior.
Through this attack scenario, researchers managed to exploit popular Firefox add-ons to carry out malicious actions. In their tests, they used add-ons such as the highly-popular GreaseMonkey add-on (1.5 million active installs), Video DownloadHelper (6.5 million active installs), and NoScript (2.5 million active installs).
They even carried out a live experiment, submitting a harmless add-on to Mozilla that leverages the extension reuse attack scenario, even requesting a full review from Mozilla's staff.
To make things easier, their test extension, called ValidateThisWebsite, contained only 50 lines of code and was left unobfuscated for easy access to its source code. Mozilla reviewers approved the extension without any red flags.
The two researchers ended up revealing the attack to Mozilla' staff and even provided them with the source code of the Crossfire framework that will help reviewers in identifying these types of attacks.
Source