| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 01 Mar 2006 21:12:28 +0100 From: "azurIt" <azurit@...ox.sk> To: bugtraq@...urityfocus.com Subject: Re: Evil side of Firefox extensions >This is definitely a good idea, although I don't think it should be a >compulsory feature (optional would be nice). If more people than just you >have access to a machine at the end of the day there's no way to guarantee >security. This is just another method of stealing information like a >keylogger would (although admittedly, more intelligent). >This isn't so much a bug as it would be user error (in my opinion), you I didn't tell it's a bug. >choose what extensions you want to install and if you're foolish enough to >install an extension from an untrusted source then you can expect horrible >things to happen. > I was primary talking about the internet clubs. FFsniFF was tested on _one_ computer in local internet club: About 30 sniffed accounts (mostly mail and chat accounts) in two days. There are also another ways how extensions can be installed into your browser. For example by a some kind of viruses. The only thing which I wanted to say is that there should be a way how to disallow installation of extensions by anyone. >Henri >henri[at]theplayboymansion[dot]net > >> Background >> ---------- >> Firefox is very popular and secure web browser. Until now, it is used by >> milions of people and thousands of internet clubs. One of the great >> features of >> Firefox are extensions. You can use them to create things inside your >> browser >> which are beyond your imagination. But everything has an other side.. >> >> Overview >> -------- >> Writting a powerfull extension is extremely simple process. Extensions are >> allowed to do _everything_ with your browser: They can change the skin, >> block >> banners on pages or even create network connection and send data through >> it to >> the internet. The worst of all is that _anyone_, who has physical access >> to >> your computer, can install extensions into your browser _without_ your >> notification. >> >> As an example, I created a simple html form sniffer. You can download it >> here: >> http://azurit.gigahosting.cz/ffsniff/ >> >> It was tested only with Firefox 1.0.x and 1.5.x . >> >> FFsniFF is a simple Firefox extension, which transforms your browser into >> the >> html form sniffer. Everytime the user click on 'Submit' button, FFsniFF >> will try >> to find a non-blank password field in the form. If it's found, entire form >> (also >> with URL) is sent to the specified e-mail address. >> >> Solution >> -------- >> I think that the solution for this should be in the ability of locking the >> installation of extensions with a password. Every user will be able to >> read hash >> of the password (so the browser can verify it) and only system >> administrator >> will be allowed to change it (it can be stored for example in registers >> [Windows] or somewhere in /etc dir [Linux]). >> >> >> azurIt, azurIt@...net, azurit (at) pobox (dot) sk >> >> >> >>
Powered by blists - more mailing lists