Vincent Arnold

Firefox browser users love the myriad of third-party extensions that tweak the open-source browser’s performance, but some of the most popular of those extensions have created a security hole so wide even a newbie AOL hacker could find it and millions of Firefox users are at risk of having their browsers hijacked.

Full story here.

Third party extensions including the widely used toolbars from Google, Yahoo, Ask, Facebook, LinkedIn, as well as social bookmark extension from Del.icio.us and two anti-hacking add-ons, the Netcraft Anti-Phishing Toolbar and the PhishTank SiteChecker all put users at risk of having their browser infected with malicious code.

Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://.

That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions’ checks for updates at a plain http:// site and then pretend to be the update server. At lesser risk are users who haven’t changed the default password on home routers, which could allow an attacker to take over the router and mess with internet packets.

Instead of sending back the new legitimate code or a message telling the extension that it is up to date, the rogue wireless connection (or compromised router) sends a new malicious extension that could let an attacker take over the browser and use the computer to send spam, attack other computers or steal the user’s passwords and sensitive information.

This entry was posted on Wednesday, May 30th, 2007 at 4:18 pm and is filed under Attack Vector.