[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <f280098d985747b0a5d53c2ebfbd21a9@pobox.sk>
Date: Wed, 01 Mar 2006 21:12:28 +0100
From: "azurIt" <azurit@...ox.sk>
To: bugtraq@...urityfocus.com
Subject: Re: Evil side of Firefox extensions
>This is definitely a good idea, although I don't think it should be a
>compulsory feature (optional would be nice). If more people than just you
>have access to a machine at the end of the day there's no way to guarantee
>security. This is just another method of stealing information like a
>keylogger would (although admittedly, more intelligent).
>This isn't so much a bug as it would be user error (in my opinion), you
I didn't tell it's a bug.
>choose what extensions you want to install and if you're foolish enough to
>install an extension from an untrusted source then you can expect horrible
>things to happen.
>
I was primary talking about the internet clubs. FFsniFF was tested on _one_
computer in local internet club: About 30 sniffed accounts (mostly mail and
chat accounts) in two days.
There are also another ways how extensions can be installed into your browser.
For example by a some kind of viruses.
The only thing which I wanted to say is that there should be a way how to disallow
installation of extensions by anyone.
>Henri
>henri[at]theplayboymansion[dot]net
>
>> Background
>> ----------
>> Firefox is very popular and secure web browser. Until now, it is used by
>> milions of people and thousands of internet clubs. One of the great
>> features of
>> Firefox are extensions. You can use them to create things inside your
>> browser
>> which are beyond your imagination. But everything has an other side..
>>
>> Overview
>> --------
>> Writting a powerfull extension is extremely simple process. Extensions are
>> allowed to do _everything_ with your browser: They can change the skin,
>> block
>> banners on pages or even create network connection and send data through
>> it to
>> the internet. The worst of all is that _anyone_, who has physical access
>> to
>> your computer, can install extensions into your browser _without_ your
>> notification.
>>
>> As an example, I created a simple html form sniffer. You can download it
>> here:
>> http://azurit.gigahosting.cz/ffsniff/
>>
>> It was tested only with Firefox 1.0.x and 1.5.x .
>>
>> FFsniFF is a simple Firefox extension, which transforms your browser into
>> the
>> html form sniffer. Everytime the user click on 'Submit' button, FFsniFF
>> will try
>> to find a non-blank password field in the form. If it's found, entire form
>> (also
>> with URL) is sent to the specified e-mail address.
>>
>> Solution
>> --------
>> I think that the solution for this should be in the ability of locking the
>> installation of extensions with a password. Every user will be able to
>> read hash
>> of the password (so the browser can verify it) and only system
>> administrator
>> will be allowed to change it (it can be stored for example in registers
>> [Windows] or somewhere in /etc dir [Linux]).
>>
>>
>> azurIt, azurIt@...net, azurit (at) pobox (dot) sk
>>
>>
>>
>>
Powered by blists - more mailing lists