Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Evil side of Firefox extensions

Re: Evil side of Firefox extensions

From: azurIt <azurit_at_pobox.sk>
Date: Wed, 01 Mar 2006 21:12:28 +0100

>This is definitely a good idea, although I don't think it should be a
>compulsory feature (optional would be nice). If more people than just you
>have access to a machine at the end of the day there's no way to guarantee
>security. This is just another method of stealing information like a
>keylogger would (although admittedly, more intelligent).
>This isn't so much a bug as it would be user error (in my opinion), you

I didn't tell it's a bug.

>choose what extensions you want to install and if you're foolish enough to
>install an extension from an untrusted source then you can expect horrible
>things to happen.
>

I was primary talking about the internet clubs. FFsniFF was tested on _one_
computer in local internet club: About 30 sniffed accounts (mostly mail and
chat accounts) in two days.
There are also another ways how extensions can be installed into your browser.
For example by a some kind of viruses.

The only thing which I wanted to say is that there should be a way how to disallow
installation of extensions by anyone.

>Henri
>henri[at]theplayboymansion[dot]net
>
>> Background
>> ----------
>> Firefox is very popular and secure web browser. Until now, it is used by
>> milions of people and thousands of internet clubs. One of the great
>> features of
>> Firefox are extensions. You can use them to create things inside your
>> browser
>> which are beyond your imagination. But everything has an other side..
>>
>> Overview
>> --------
>> Writting a powerfull extension is extremely simple process. Extensions are
>> allowed to do _everything_ with your browser: They can change the skin,
>> block
>> banners on pages or even create network connection and send data through
>> it to
>> the internet. The worst of all is that _anyone_, who has physical access
>> to
>> your computer, can install extensions into your browser _without_ your
>> notification.
>>
>> As an example, I created a simple html form sniffer. You can download it
>> here:
>> http://azurit.gigahosting.cz/ffsniff/
>>
>> It was tested only with Firefox 1.0.x and 1.5.x .
>>
>> FFsniFF is a simple Firefox extension, which transforms your browser into
>> the
>> html form sniffer. Everytime the user click on 'Submit' button, FFsniFF
>> will try
>> to find a non-blank password field in the form. If it's found, entire form
>> (also
>> with URL) is sent to the specified e-mail address.
>>
>> Solution
>> --------
>> I think that the solution for this should be in the ability of locking the
>> installation of extensions with a password. Every user will be able to
>> read hash
>> of the password (so the browser can verify it) and only system
>> administrator
>> will be allowed to change it (it can be stored for example in registers
>> [Windows] or somewhere in /etc dir [Linux]).
>>
>>
>> azurIt, azurIt_at_IRCnet, azurit (at) pobox (dot) sk
>>
>>
>>
>>
Received on Mar 01 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos