A new Firefox vulnerability has been discovered, and this time it is quite a doozy. It affects many different extensions including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker.
So what’s the problem? When using an extension in Firefox it frequently checks to see if there is a more updated version available, and Firefox will notify the user whether they are running the latest version. Normally the user will agree to the update and proceed with their normal browsing activities, but there could be more going on behind the scenes than the user is actually aware of.
If an extension does not use a secure connection (a URL beginning with https:// is secure, where http:// is not) for the update it is possible for a man in the middle attack to occur. Utilizing an insecure connection a hacker could easily intercept an extension update, which would replace the extension on your computer with their own. So as you’re sitting at a coffee shop, Firefox could "harmlessly" be updating your extensions while a hacker is intercepting the request and replacing the extension with something more malicious…possibly something that would reveal all of your passwords.
Below is a video demonstration that Christopher Soghoian, the person who discovered the flaw, put together. The Firefox user has Google Browser Sync installed, and Chris demonstrates how he replaces the extension with his own:
This has been filed as a bug, but is not expected to be fixed until Firefox 3 gets released. This is a real problem though, because some extensions (such as those by Google) automatically update themselves without even notifying the user. Chris has contacted several extension developers, and this is what Google said they were going to fix the issue:
The Google Security Team replied on May 25th stating that they were working on a fix, and expected to have it ready and deployed before May 30th. At the time of publishing this vulnerability disclosure, it does not appear that Google has rolled out an update yet.
Here is what Chris recommends Firefox users do to circumvent the problem:
Users with wireless home routers should change their password to something other than the default.
Until the vendors release secure updates to their software, users should remove or disable all Firefox extensions and toolbars. Only those that have been downloaded from the official Firefox Add-Ons page are safe.
In Firefox, this can be done by going to the Tools menu and choose the Add-ons item. Select the individual extensions, and then click on the uninstall button.
I don’t think that you have to go through the work of uninstalling/disabling your extensions. Instead, just disable the extensions from updating, and then go do a "fresh install" of all your extensions from the Mozilla Add-ons site just to be sure that none of your extensions currently being used have been compromised:
Unfortunately you’ll have to check for all extension updates yourself and manually install them, but it decreases the risk of an attack. However, I’m not sure if this will prevent those extensions from updating who do it automatically, such as those by Google.
News Source: Washington Post
Thanks to CoryC for the tip!