The Register reports that these extensions are open to attacks that can quietly compromise machines and pass Mozilla’s automated and human security tests. Boston University Ph.D. Ahmet Buyukkayhan and Northeastern University Professor William Robertson demonstrated how the attacked dubbed Extension Reuse can be leveraged by hackers to install malware on users computers. The two researchers said that had researched the vulnerability for two years by creating malicious extensions which use a so-called “extension reuse” mechanism to make malicious calls to other extensions, which then pass them along to the underlying system. The researchers explain that since all requests made by any extension in Firefox browser are handled with with elevated privileges, once the hackers have leveraged the extension, they can have the entire browser at their disposal. Even worse, one of these malicious extensions can easily go through Mozilla’s review process which all extensions must go through to be added to their add-on portal. The Firefox security system cannot zero in on the malicious extension because it doesn’t make any dangerous calls to Firefox’s most sensitive inner parts, the researchers noted. Through this attack scenario, researchers managed to exploit popular Firefox add-ons to carry out malicious actions. In their tests, they used add-ons such as the highly-popular GreaseMonkey add-on (1.5 million active installs), Video DownloadHelper (6.5 million active installs), and NoScript (2.5 million active installs).
The researchers showcased their exploit by carrying out a live experiment in the conference. The experiment was done using a test extension, called ValidateThisWebsite, which contained only 50 lines of code and was left unobfuscated for easy access to its source code. Mozilla reviewers approved the extension without any red flags. Mozilla said that the researchers findings were hypothetical in nature. “The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed,” says Nick Nguyen, VP of Product for Firefox. “Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up Web Extensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions so that they cannot share code. “