Firefox Cross-Extension vulnerability discovered

Martin Brinkmann
Apr 6, 2016
Updated • Apr 6, 2016
Firefox
|
24

Nine of the ten most popular Firefox add-ons, based on users, are vulnerable to extension reuse vulnerabilities that allow malicious extensions to leverage these vulnerabilities.

Add-ons are one of the hallmarks of the Firefox web browser. The most popular Firefox add-ons are used by millions of users, and since the extension system in place does not limit add-on developers as much as on other platforms, some add miraculous things to the browser that are not possible elsewhere.

While researchers have analyzed the security risk associated with an "everything goes" add-on system and particular add-ons exploiting it, barely any research went into analyzing interactions between multiple extensions installed in the Firefox web browser at the same time due to a lack of extension isolation.

In the research paper CrossFire: An Analysis of Firefox Extension Re-Use Vulnerabilities, the researchers demonstrate a new class of Firefox extension attacks that exploits what they call extension-reuse vulnerabilities.

In layman terms, it is about one extension using the functionality provided by others to launch attacks.

The vulnerability relies on Firefox's current extension system, and there particularly on the fact that Firefox extensions may share the same JavaScript namespace. While Mozilla suggested in the past that extensions use unique namespaces, the security implications have not been explored for the most part.

Basically, what it means is that an extension could "read from and write to global variables defined by others, call or override all global functions, and modify instantiated objects".

firefox reuse vulnerability

The figure shows how the malicious extension M leverages the capabilities of two legitimate extensions to download and execute code.

While malicious extensions can perform these operations as well directly, the core difference lies in the fact that these malicious extensions won't pass Mozilla's review process necessarily which means that they won't be made available on the official Mozilla Add-ons store.

The researchers note that add-ons leveraging extension-reuse vulnerabilities are harder to detect since they don't make direct calls to the APIs that enable the attack, and that it would take considerable effort by reviewers to detect malicious intent.

To demonstrate this, a Firefox add-on was developed and submitted to the Firefox add-on repository which was designed to validate HTML pages. A cross-extension call to leverage capabilities of the popular NoScript add-on was added to the add-on which connected to a URL stealthily as well leveraging a global NoScript variable.

The submitted extension passed the automated and human review process without security warnings.

According to the research, nine out of ten of the most popular Firefox extensions are vulnerable to this attack form including NoScript, Firebug, FlashGot and Web of Trust. Further analysis of a sample of 351 extensions out of the top 2000 revealed that more than 72% were vulnerable to extension-reuse attacks.

Caveats

For extension-reuse attacks to work, Firefox users need to install both the malicious extension and at least one other extension that the malicious extension exploits.

The researchers demonstrated that malicious extensions may pass Mozilla's automated and full review validation currently which increases the chance that Firefox users download and install them on their systems.

However, a new tool called CrossFire was created that automates the process of finding extension-reuse vulnerabilities in add-ons which should decrease the likelihood of that happening.

A comment by Firefox's vice president on Ars Technica highlights that Mozilla plans to introduce Firefox add-on sandboxing that the organization plans to introduce as part of its multi-process architecture implementation.

Summary
Firefox Cross-Extension vulnerability discovered
Article Name
Firefox Cross-Extension vulnerability discovered
Description
Researchers have discovered a new attack form that has malicious add-ons leverage code provided by other add-ons to pass Mozilla's review process.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. beach boui said on April 10, 2016 at 9:33 pm
    Reply

    The fools who use Chrome are no doubt the same fools who set Google’s nameservers to provide DNS. Some people just don’t get it, and some never will. They would rather follow the flock into the abyss, never thinking about where they’re going.

    Firefox isn’t perfect. There is no perfect browser. I use Chrome on rare occasions. But, I feel a certain loyalty to Firefox… if for no other reason than it is the child of Netscape… where it all began… and for what the Mozilla foundation represents.

    I don’t particularly like Chrome, mostly for what it represents… Google… the most invasive, privacy violating entity on the planet.

  2. Lestat said on April 8, 2016 at 12:56 pm
    Reply

    WebExtension model is also not secure, Google has this issue too that malware authors abuse them, they buy an extension and change it that way that the new owners earn money while the user suffers privacy loss or worse.

    WebExtension is no wonder cure, it can also be highly abused and whats even worse, it is much more restricting in what you can change with them.

  3. gh said on April 8, 2016 at 9:35 am
    Reply

    forums.theregister.co.uk/forum/1/2016/04/04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/

    The author of this theregister article seems clueless, s/he seemingly parroted and paraphrased without understanding the matters at hand. The title of theregister “article” is both sensational and ridiculous, and theregister commenters seem to be unclear about the matters at hand; they just blindly welcome an opportunity to b*tch about something?

    There’s no real news here — neither in the article, nor in the blackhat presentation mentioned by the article. The blackhat presentation served to raise awareness. Shall we distrust all extensions, all extension authors, and “kill all extensions” as a result? That choice has already been made for us. Mozilla has (months ago) detailed their roadmap for killing (deprecating) the decade-long extensions framework(s) and replacing such with a “webExtensions” framework which provides a woefully castrated (so more secure) range of functionality.

    What’s the agenda? Is the public being preened, is theregister complicit in convincing sheeple that introduction of the lackluster webExtensions framework is “necessary”, is “for yOUR protection”?

    =========================

    Martin’s article comparatively provides more substantial details… but, still, article title is both overly sensational and inaccurate. More accurately, the blackhat presenters described/enumerated (vs “discovered”) hundreds of ways a malicious extension author might reuse/repurpose code contained in other installed extensions. Why are only “9 of the 10 top extensions” affected? Because the other (1, of ten) lacked any code useful for repurposing; it just applies per-site CSS tweaks, or whatever.

  4. Gabriel said on April 8, 2016 at 8:43 am
    Reply

    More and more people proof that ways follows by mozilla is not approved by users and the justifications of this ways has been destroyed one after another and mozilla refuses accept that is committing mistakes. There are two points that will define if the users will love or hate firefox, this two points are when they destroy the xul support and e10 support come up for good.

  5. Don Gateley said on April 7, 2016 at 7:35 pm
    Reply

    Mozilla’s seemingly irrational decision to deprecate the powerful old model now seems less so. This vulnerability rules out the use of Firefox in sensitive areas, like defense, government, and corporations where they want a stronger presence.

    1. Pants said on April 7, 2016 at 11:18 pm
      Reply

      Well, they didn’t bother with FF at the Pawn2Own competition or whatever it was called because its too easy. They really have dragged the chain on e10s to their own detriment. Its been like 4 or 5 years already. And we only just got 64bit about 3 releases ago. All this pissing about with UI (you can still have some, but FFS stop tinkering), over-simplification and removal of features, mucking around with crap like reader/hello/advertising in tabs/rebuilding the telemetry and health reports/building in social and experiments … they should have been focusing on building a faster more secure browser. *sigh*

  6. Tom Hawack said on April 6, 2016 at 7:04 pm
    Reply

    What we learn now is that the remaining 1% found on AMO is not 100% secure.
    In other words 100% of everything is vulnerable, be it one day or another.

  7. Earl said on April 6, 2016 at 5:35 pm
    Reply

    Irrelevant. 99% of everything is “vulnerable”.

  8. Tom Hawack said on April 6, 2016 at 4:35 pm
    Reply

    What bothers me the most is that the GreaseMonkey add-on is stated as vulnerable. Whatever, the idea from now on is that it is not because an add-on has been accepted on AMO that it is as well 100% secure.

  9. greg said on April 6, 2016 at 4:10 pm
    Reply

    Anybody know if uBlock-Origin and uMatrix are vulnerable? I’m betting they aren’t.

    1. Big Maq said on April 8, 2016 at 9:15 pm
      Reply

      Good question. Looking for answers to same.

  10. exrelayman said on April 6, 2016 at 3:20 pm
    Reply

    I scanned the study. Very surprised that the most vulnerable of the 9 cited was WebofTrust. But as I understand it, this vulnerability depends on the user installing the malicious extension. As I strive to keep a lean clean machine, I run few extensions and I haven’t installed any new extensions since replacing AddBlockPlus with uBlockOrigin based on an article in ghacks. So I don’t feel vulnerable and will keep using WebofTrust.

  11. Dave said on April 6, 2016 at 1:50 pm
    Reply

    “Everything goes” is such a scary idea. Imagine an operating system where “everything goes” and users could install anything. The world would fall apart. (Anyone not getting the sarcasm, go home.)

    Again, extension signing proves to be pointless.

  12. Ben said on April 6, 2016 at 1:27 pm
    Reply

    Don’t see a big problem there. You have to install a malicious addon anyway.
    I take this risk anytime about the restrictive shitty chrome addons/UI.

    1. anon said on April 6, 2016 at 4:08 pm
      Reply

      WebExtensions, the new Firefox extensions model, is not the same one as Chrome’s. It simply allows the basics to work on any browser, which only benefits the user since they can now use the same extension anywhere.

      https://wiki.mozilla.org/WebExtensions
      https://wiki.mozilla.org/WebExtensions/FAQ

      In 2 years, we’ll have extensions working on Chrome, Firefox, and Edge without having to write separate code for each. This is good.

      1. Dave said on April 6, 2016 at 11:57 pm
        Reply

        A few years ago, Chrome extensions could work on Firefox. Mozilla banned the translator add-on from their add-ons site. I still have the .xpi but it only works with old versions of Firefox, so not much use. Maybe someone could update it though.

      2. Ben said on April 6, 2016 at 9:13 pm
        Reply

        With WebExtensions everything not allowed by Mozilla will not work at all. Simple as that.
        If your addon needs something and the API will not give it to you, your addon will not work.
        It is highly unlikely that the API will have all the functions an addon can use now – this ist just simple logic. Therefore addons cannot do everything they can do now, and that is bad. It starts with such simple things, as like you cannot use a mousegesture addon on chrome:// sites (to bring a chrome example).
        The basic idea behind the API is good, but FF should still allow to circumvent them if needed. Other than that it will be just one of the many Chromium clones instead of a highly modifyable browser.

  13. vux777 said on April 6, 2016 at 12:11 pm
    Reply

    Chromium extensions are much more restrictive, and can’t do all the bling-bling stuff like FF extensions can do, and this is why.
    Sandboxed, no interference with UI, and can communicate between each other only by messaging system, so that all (possible) communication is supervised. Malicious code to work in that kind of environment can rely only on social engineering, tricking users somehow.

  14. Max said on April 6, 2016 at 11:48 am
    Reply

    Sleazy way to sugarcoat the upcoming slaughtering of XUL/XPCOM-addons.
    Desperate.

  15. Daniel Winter said on April 6, 2016 at 10:47 am
    Reply

    Firefox just feels like a sluggish, insecure dinosaur. I stopped using it 3 years ago and not looking back (Chrome 49).

    1. Dave said on April 6, 2016 at 11:54 pm
      Reply

      Firefox was terrible 3 years ago, so the decision you made then was rational. Now though… Firefox is probably the best (I recommend the ESR branch)

      1. A41202813GMAIL said on April 9, 2016 at 4:58 am
        Reply

        Since Extensions Are Free, Could You, Please, Send Me A Copy Of That .XPI File You Are Talking About ?

        Thank You.

    2. Anon said on April 6, 2016 at 5:42 pm
      Reply

      So you’re judging the current versions of firefox with some experiences that you had with it 3 years ago? Smart.
      Try the latest dev edtition or nightly, they are anything but sluggish.
      But you probably won’t, so good for you. Here, have a cookie.

      1. Lestat said on April 6, 2016 at 9:43 pm
        Reply

        Why should anyone use today Firefox where Mozilla is only interested in one thing… Chrome parity?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.