lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1DBA8D7348C54245B962B2F86140C409B1DE6B@longbarn.fpdomain.com>
Date: Wed, 1 Mar 2006 12:18:20 -0800
From: <salexander@...ntporch.com>
To: <henri@...on-hosting.co.uk>, <bugtraq@...urityfocus.com>
Subject: RE: Evil side of Firefox extensions


A lot of problems can be chalked up to user error but we all need to
face the fact that users do not click No.  People are conditioned to
just click Yes/Ok/Next no matter what; even when they know better.  Even
home users would be better off with the feature enabled.  If they had to
enter a password, they'd at least have to think for two seconds before
they installed the extension.

In an office environment, administrators could prevent most users from
installing their own extensions (although determined users might find a
way).

Steven

-----Original Message-----
From: Henri Cook [mailto:henri@...on-hosting.co.uk] 
Sent: Wednesday, March 01, 2006 11:40 AM
To: bugtraq@...urityfocus.com
Subject: Re: Evil side of Firefox extensions
Importance: High


This is definitely a good idea, although I don't think it should be a
compulsory feature (optional would be nice). If more people than just
you have access to a machine at the end of the day there's no way to
guarantee security. This is just another method of stealing information
like a keylogger would (although admittedly, more intelligent).
This isn't so much a bug as it would be user error (in my opinion), you
choose what extensions you want to install and if you're foolish enough
to install an extension from an untrusted source then you can expect
horrible things to happen.

Henri
henri[at]theplayboymansion[dot]net

> Background
> ----------
> Firefox is very popular and secure web browser. Until now, it is used 
> by milions of people and thousands of internet clubs. One of the great

> features of Firefox are extensions. You can use them to create things 
> inside your browser which are beyond your imagination. But everything 
> has an other side..
>
> Overview
> --------
> Writting a powerfull extension is extremely simple process. Extensions

> are allowed to do _everything_ with your browser: They can change the 
> skin, block banners on pages or even create network connection and 
> send data through it to the internet. The worst of all is that 
> _anyone_, who has physical access to your computer, can install 
> extensions into your browser _without_ your notification.
>
> As an example, I created a simple html form sniffer. You can download 
> it
> here:
> http://azurit.gigahosting.cz/ffsniff/
>
> It was tested only with Firefox 1.0.x and 1.5.x .
>
> FFsniFF is a simple Firefox extension, which transforms your browser 
> into the html form sniffer. Everytime the user click on 'Submit' 
> button, FFsniFF will try to find a non-blank password field in the 
> form. If it's found, entire form (also with URL) is sent to the 
> specified e-mail address.
>
> Solution
> --------
> I think that the solution for this should be in the ability of locking

> the installation of extensions with a password. Every user will be 
> able to read hash of the password (so the browser can verify it) and 
> only system administrator will be allowed to change it (it can be 
> stored for example in registers [Windows] or somewhere in /etc dir 
> [Linux]).
>
>
> azurIt, azurIt@...net, azurit (at) pobox (dot) sk
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ