April 5, 2016 – 5:19 PM
NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.
The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.
“These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks,” the researchers wrote in a paper that was presented last week at the Black Hat security conference in Singapore. “Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures.”
Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code. Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer’s file system, or to open webpages to sites of an attacker’s choosing.