Firefox Cross-Extension vulnerability discovered

Nine of the ten most popular Firefox add-ons, based on users, are vulnerable to extension reuse vulnerabilities that allow malicious extensions to leverage these vulnerabilities.
Add-ons are one of the hallmarks of the Firefox web browser. The most popular Firefox add-ons are used by millions of users, and since the extension system in place does not limit add-on developers as much as on other platforms, some add miraculous things to the browser that are not possible elsewhere.
While researchers have analyzed the security risk associated with an "everything goes" add-on system and particular add-ons exploiting it, barely any research went into analyzing interactions between multiple extensions installed in the Firefox web browser at the same time due to a lack of extension isolation.
In the research paper CrossFire: An Analysis of Firefox Extension Re-Use Vulnerabilities, the researchers demonstrate a new class of Firefox extension attacks that exploits what they call extension-reuse vulnerabilities.
In layman terms, it is about one extension using the functionality provided by others to launch attacks.
The vulnerability relies on Firefox's current extension system, and there particularly on the fact that Firefox extensions may share the same JavaScript namespace. While Mozilla suggested in the past that extensions use unique namespaces, the security implications have not been explored for the most part.
Basically, what it means is that an extension could "read from and write to global variables defined by others, call or override all global functions, and modify instantiated objects".
The figure shows how the malicious extension M leverages the capabilities of two legitimate extensions to download and execute code.
While malicious extensions can perform these operations as well directly, the core difference lies in the fact that these malicious extensions won't pass Mozilla's review process necessarily which means that they won't be made available on the official Mozilla Add-ons store.
The researchers note that add-ons leveraging extension-reuse vulnerabilities are harder to detect since they don't make direct calls to the APIs that enable the attack, and that it would take considerable effort by reviewers to detect malicious intent.
To demonstrate this, a Firefox add-on was developed and submitted to the Firefox add-on repository which was designed to validate HTML pages. A cross-extension call to leverage capabilities of the popular NoScript add-on was added to the add-on which connected to a URL stealthily as well leveraging a global NoScript variable.
The submitted extension passed the automated and human review process without security warnings.
According to the research, nine out of ten of the most popular Firefox extensions are vulnerable to this attack form including NoScript, Firebug, FlashGot and Web of Trust. Further analysis of a sample of 351 extensions out of the top 2000 revealed that more than 72% were vulnerable to extension-reuse attacks.
Caveats
For extension-reuse attacks to work, Firefox users need to install both the malicious extension and at least one other extension that the malicious extension exploits.
The researchers demonstrated that malicious extensions may pass Mozilla's automated and full review validation currently which increases the chance that Firefox users download and install them on their systems.
However, a new tool called CrossFire was created that automates the process of finding extension-reuse vulnerabilities in add-ons which should decrease the likelihood of that happening.
A comment by Firefox's vice president on Ars Technica highlights that Mozilla plans to introduce Firefox add-on sandboxing that the organization plans to introduce as part of its multi-process architecture implementation.


Since I’ve rarely wanted to transfer more than one tab between browsers, I’m not inclined to install another extension just for that — especially one that (according to your description) closed all my tabs in the process. In the past I’ve just copied and pasted the URL, but (even for just one tab) that is a little tedious.
I just tried an interesting little experiment, with a useful result. (I did this on my Mac, but I’m guessing it would work on other platforms too.) I’m reading this article in Firefox, so I opened a new blank window in Chrome. At the top of both browser windows, at the far-left end of the URL bar, there’s a little icon of the letter “i” in a circle. (If you hover over it in Firefox, it says “Show site information”; in Chrome, hovering it says “View site information” — that’s the icon I’m talking about.)
I simply dragged the Firefox “i” icon from the top of this page, into the Chrome window — and this page loaded in Chrome! It worked! Then I tried something just a bit trickier, in the other direction — I first (from a bookmark) loaded into Chrome a page from my local web-development server (i.e. not online)… then dragged the “i” icon from the Chrome toolbar into this Firefox window — and it worked then too!
So, although I have no interest in the OneTab extension, I just learned something useful! I hope other people find this trick useful too. (Later I’ll try it in Safari — maybe it works in every browser?)
Interresting find Jonas, thanks for sharing!
Your comment doesn’t appear to be one of the real @Martin, because there is no black label rounding the entire title of the comment as before. :S
I also used onetab already and didn’t even know they had this feature. Thanks so much.
Exporting tabs to FF: “The address wasn’t understood. Firefox doesn’t know how to open this address, because one of the following protocols (chrome-extension) isn’t associated with any program or is not allowed in this context.”
Useless.
And the most important information was left out of the article or it don’t even exist in the first place: how to completely disable such functionality.
Your comment doesn’t make any sense at all. It’s an explicit user action to import data from other add-ons. If you don’t want it you just don’t do it.
This comment actually does make a lot of sense, and I am actually searching for this. Some people do NOT want websites to be (badly) translated, so they never use such a feature. The things is, every time I visit a non-english website this annoying menu pops up, and the button is another element in the URL bar cluster of useless unused features. I do not want to add all languages to a “do not translate” list, instead I want a “hide button” or “disable translations completely” setting.
This comment actually does make a lot of sense, and I am currently searching for this. Some people do NOT want websites to be (badly) translated, so they never use such a feature. The things is, every time I visit a non-english website this annoying menu pops up, and the button is another element in the URL bar cluster of useless unused features. I do not want to add all languages to a “do not translate” list, instead I want a “hide button” or “disable translations completely” setting.
my bad. somehow my, and I think DMoRiaM’s comment got mixed into the wrong article. Haha.
go to about:config and set browser.translations.automaticallyPopup to false.
Does this hack still work on FF 107 or whatever is most current?
Firefox 118 seems to be officially rolling this out by default: https://support.mozilla.org/en-US/kb/website-translation
Hoping Mozilla won’t remove the option altogether in the future as they already did for other, ahem, unwanted features… Why don’t they listen to their users instead?
@zed,
your reply seems to be Addlibs (according to your RSS reader),
Addlibs did not intend to comment on this article “OneTab browser extension”, but regarding Firefox’s new built-in fullpage translation “Firefox Translation”.
Firefox Fullpage Translation
https://support.mozilla.org/en-US/kb/website-translation
what the heck is going on with comments on this site lately?
first comment on THIS article was 9-2019.
Looks like the comments database is corrupted.
Besides old comments appearing in new articles, the same comment appears in multiple articles.
Also I answered a comment in one article, and the same answer appeared as an answer to a different comment by the same person.
@Martin Brinkmann,
Anyway, please deal with this anomaly ASAP.
Comments are a mess, irrelevant and chaotic.
If there is no prospect, Ghacks Technology News should be put on hiatus until the system is fixed.
It’s the same as before with endless monologues or people telling others why they are wrong.
Actually, Frankel, it’s you who’s wrong
This is all techo-BS. What people want is far simpler: a hotkey toggle: images on/images off. Is that really so complex? Seems so. It’s like autoplay videos on/off. In that case you can set it to off but it doesn’t stick. Typical digiocy.
This isn’t great but it might help people that have moved from chrome to firefox to some extent. I can’t tell you the amount of time I have seen people complain that a certain extension they use on google is not available and the only thing holding them back from moving over when they are actually wrong and the very same developer has a Firefox version also. I would always encourage manually looking as there are always hidden gems.
In regards to the website I have reached out to Martin personally and to his credit he replied very quickly. He has informed me that they are aware of the problems and are attempting to fix it.
Martin is no longer involved in the technical management of the site so I imagine if we want to ask someone then our comments would perhaps be better directed towards Softonic.
I don’t understand what is happening here with the comments. The counter shows zero comments and then inside there are some comments from older dates even since years. And mostly of them are non related by the way with the article. So sad what’s going on and nobody is still fixing it. :S
This site now appears to be mostly be created and run by AI. On the positive side (if there is one), I guess we can assume at some point the AI will be capable of recognizing and fixing corrupted files and the like.
“Import Chrome extensions” …. (by installing comparable Firefox extensions) … (for a small number of extensions).”
What a bunch of bogus PR spin. Someone who liked uBlock Origin on Chrome could already install it just fine on Firefox with a couple of mouse clicks. This just adds extra unnecessarily complicated steps to something that was already dead simple, all in order for Mozilla to claim fake one-to-one compatability that doesn’t actually exist.
It would be interesting if Firefox could install Chrome Addons directly from the Chrome Web Store. Although there would probably be some incompatibility, perhaps there’s a shim to translate some Chrome-specific WebExtension APIs over to Firefox. Microsoft Edge can install extensions directly from the Chrome Web Store, but Edge is using the same Blink web engine as Chrome so that makes things easy.
Don’t really care about importing as I never use that feature.
Just retire Gecko and join the Blink bandwagon already, Mozilla. Then you can guarantee 100% Chrome extension compatibility! /s
Not like your browser is getting much attention let alone budget compared to your other woke social justice initiatives.
Hello,
does anyone know if the STG has issues with the sidebar at the moment? I just added it and can not find any option to use it in the sidebar. I am also using an add-on for tree style tab…this might be the source of the problem?
Greetings, Anja
tried typing- about:config -in the search bar -( I want to enable javascript) but it simply will NOT open!
I tried Firefox Translate, but it doesn’t do Chinese or Japanese, and that’s a deal-breaker for me. I uninstalled it and am sticking with the Google Translate extension.
“…Vivaldi and Brave use self-hosted solutions, which still require connections, but offer better privacy than an integration of Google Translate or other third-party translation services would offer.”
While I like Brave as a browser, their translation “solution” just plain sucks. I’d rather have the data sent to Google or Bing, than have a translate feature that just doesn’t work properly. Not only is it not possible to select just a section of text to translate, but to make it worst, most of the time translating the whole page in Brave is either really unbearably slow, or more often than not, it just won’t translate the page at all and displays a “This page couldn’t be translated” error. It’s pretty pointless if their users need to keep using something else to translate pages and have to give up their privacy anyway.
The native translate feature in Firefox sounds like a much better solution than what Brave use.
Great news, thanx FF devs! Hopefully, more languages will be available in the future. So happy!
Floorp comes with its own built-in translator. It’s been like that ever since the first release in fact.
https://floorp.app/download
Article title: Firefox 117: native language translations, last Firefox 102 update and security fixes
https://www.ghacks.net/2023/08/29/firefox-117-native-language-translations-last-firefox-102-update-and-security-fixes/
I think for now every time I comment on an article I am going to put the title of the article and/or the URL of said article because I am seeing my own comments which are from another Firefox related article but not exactly this one.
In regards to this website Martin does not have administrative access to the back end of the website. It would fall on softonic international to fix it now which seems to be of very low priority.
This might be the straw that broke the camels back for ghacks which is a shame because it had many good comments and articles that go way back. Moving away from it would suck.
Maybe try contacting them here to see if you can get any action.
https://hello.softonic.com/contact/
Can you help me please.
Latest version, they pust their VPN (powered by Mullvad) yet again. Instead of writing version changes. sigh. https://imgur.com/g6N20bN
Luckily I had a recent backup available. Firefox was no longer giving me access to profiles when I reinstalled version 116.03 and was asking me to create a new profile. It asked me to upgrade last night and to my surprise all theJS scripts were gone.
https://github.com/xiaoxiaoflood/firefox-scripts/issues/265
Firewall: “Deny [Firefox] outgoing connections to domain nextdns.io”
Firewall: “Deny [plugin-container] outgoing connections to domain cloudflare-dns.com (including mozilla.cloudflare-dns.com)”
It’s exciting to hear that Mozilla is actively working on a design refresh for their Firefox web browser, internally referred to as Photon. The last major redesign, known as Proton, was introduced in Firefox 57 back in November 2017. Since then, Mozilla has made some interface changes, including the controversial address bar overhaul in Firefox 75 Stable.
While specific details about the design refresh are currently limited, Mozilla has created a meta bug on Bugzilla to track the changes. Although no mockups or screenshots have been shared yet, the bug names provide some insights into the elements that will receive a refresh, such as the address bar, tabs bar, main menu, infobars, doorhangers, context menus, and modals.
The new design is scheduled to be released in Firefox 89, which was initially planned for a mid-2021 release, specifically May 18, 2021. However, as development work is still ongoing, there is a possibility of a delayed release.
@ Zibtek,
I’m already using Photon on Floorp which is a fork of Firefox. Here’s a pix of what it looks like:
https://i.postimg.cc/8PsK7DjV/floorp-photon.png I enabled the menu bar at the top, but you can turn it off if you don’t like it.
Floorp is a Japanese browser based on FF102. I’ve been using it as my default browser ever since ‘owl’ pointed it out on the Ghacks site last year (or was it this year, can’t remember exactly when). In any event it contains many more enhancements than the vanilla version of Firefox. It also comes with searXNG search engine in the list of search engines provided which saves having to install it yourself.
Floorp download: https://floorp.app/en/
My comment is regarding the following,
Article title:
Mozilla patches critical WebP security issue in Firefox and Thunderbird
>> ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/#respond
Indeed, today, those patch versions were applied through automatic updates.
However, since I had disabled the “WebP” function, I was not interested in that topic (Google, etc.).
Regarding Thunderbird:
Today finally,
My Thunderbird 102.14.0 (en-US) was updated with “Thunderbird 102.15.1 (x64)” through the automatic update feature.
By the way,
Naturally, it will not be automatically updated to 115 (Supernova).
Anyway,
it is clear from Bugzilla that the bug fixes related to migration from 102 to 115 are not complete, so existing users of “102” should refrain from manually updating to 115.
>> ghacks.net/2023/09/08/thunderbird-102-to-115-upgrades-are-now-enabled/#comment-4573569
Betterbird has been released 115.2.1-bb11 (12 September 2023) . Betterbird make Thunderbird a faithful upstream.
Betterbird: Release Notes
>> betterbird.eu/releasenotes/?locale=en-US&version=115.2.1&channel=default&os=WINNT&buildid=20230911203543
@Martin Brinkmann,
I posted in response to an article published on 2023/09/13.
Article title: Mozilla patches critical WebP security issue in Firefox and Thunderbird. >> ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/
However, the link was to an unrelated article published on 2019/09/27.
>> ghacks.net/2019/09/27/how-to-import-tabs-from-chrome-to-firefox-and-vice-versa/
This kind of “disorder of Articles and Comments” has been going on for another month.
Is this an obvious (by Softonic, which operates and manages ghacks.net) act of sabotage against Martin and Ashwin?
It’s really frustrating!
[ My comment is on “Mozilla patches critical WebP security issue in Firefox and Thunderbird” https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/ though not directly related to that article ]
What happened to gHacks? When the site was bought out, Martin assured us it wouldn’t go downhill and he’d maintain editorial control, but the AI-written articles are ruining the quality of the site. I’ve been tempted to drop the site from my RSS reader because of this. Is there an RSS feed with only the human-written articles? Individual feeds for each author isn’t a good solution.
Article Title: Mozilla patches critical WebP security issue in Firefox and Thunderbird
Article URL: https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/
If anyone was unaware you should download the extension “Don’t Accept WebP” regardless of the patch. WebP is absolute trash that is unnecessary and clearly an issue. I would rather my images be in their native format and not some recompiled trash such as WebP.
I have absolutely no love for the parent company of this website.
I agree, this is so atrocious – most of the time you can even tell by the URL what format the original image was in – this “reconvert-on-the-fly” nonsense is terrible – but especially so when you’re converting a lossy format, which should be avoided as often as possible.
Sometimes you can edit the image URL to get it to send the right image, unfortunately “don’t accept WebP” doesn’t always work – but that’s why they offer a built in conversion, I suppose.
@ Mystique,
Thanks for the tip (about the addon). I wasn’t aware that Webp was a vulnerability.
I read only Martin Brinkmann’s, Mike Turcotte’s, and Ashwin’s articles. Add uBlock Origin news filter for ghacks:
! 2023-09-13 https://www.ghacks.net/
ghacks.net##.hentry,.home-posts:not(:has-text(/Martin Brinkmann|Mike Turcotte|Ashwin/))
@ https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/#comment-4573641
I tried your uBlock filter on Brave snap packaga for Ubuntu, but it doesn’t work, do I need to restart the browser?
I have noticed uBO doesn’t fully work on Brave, for instance the Element Picker can’t pick anything while the Zapper do, but not 100%, Nuke Anything works much better, but it’s only temporarily.
“important address bar change” alright calm down… lol
I have gotten rid of the stupid shield and the “not secure” box, and have it set up so that it always displays the full URL (I think…?).
In a perfect world, it should just always show the full url, no icons, or emojis, or anything like that.
“Users may want to know why Firefox is no longer displaying https:// in the address bar” I’ll bet nobody will notice anything – apart from a select few autists like myself who customise everything and don’t like change.
“Users may want to know why Firefox is no longer displaying https:// in the address bar”
Why, I don’t know either (a breeze of madness or is it of love in the air), but there’s an about:config to handle that as well (Firefox) :
// display all parts of the url in the location bar (do not trim)
pref(“browser.urlbar.trimURLs”, false); // Dfault=true
Things, too many, too often are decided in spite of common sens.
Firefox is always copying whatever Chromium does… it is like they are a Chromium browser without the name and having trouble rendering many websites. In fact, it is like they are getting 400million just for existing and adopt anything Google releases or does, like web extensions, widevine, safe browsing and then visual changes like this.
I like how some people think there is a choice, and the choice is better than the leader… while still failing at basic stuff.
What’s the point of these useless changes? Just show the full address with the protocol at all times and be done with it…
I set the User Agent address bar to always show the entire URI in a unmasked format.
Martin, as of 19 September 2023, the gHacks comments system is still severely mangled. Data subjects have considerable rights conferred on them; where those decisions are likely to affect them.
Let’s start again. “I set the User Agent address bar to always show the entire URI in [an] unmasked format.”
Hallowed be the memory of the Lost Souls.
“HTTPS doesn’t mean safe:
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.”
[https://www.kaspersky.com/blog/https-does-not-mean-safe/20725/]
HTTPS doesn’t mean safe
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.
HTTPS doesn’t mean safe
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.
website still wacked huh?
Article: Firefox 119 will launch with an important address bar change
https://www.ghacks.net/2023/09/19/firefox-119-will-launch-with-an-important-address-bar-change/
Just one thing regarding the URL bar as it looks like now in latest Firefox, the relatively new feature where some extensions would add their icon inside the URL bar, how bad can it get?
https://imgur.com/uIlWI58
https://postimg.cc/YvYnpzGh
https://ibb.co/QQT584N
ps. uploaded same pic to several links just to make sure some will work.
(For those who can’t see the pic it’s a snapshot showing a URL bar full of extensions, and also Firefox own built in icons that would appear inside the URL bar depending in some cases on which type of website is being viewed, there’s no space left for the actual thing the URL bar is supposed to view, namely the URL address itself)
Yes, I have several extensions on the toolbar, but the menu bar is pretty full and I want to keep some on the toolbar too, and usually Firefox would also push excessive extensions behind a drop-down menu for access to them as well, but as it looks like now the URL bar is given too little space priority, or is there a way to restrict to a minimum URL bar size?
You can modify Firefox with a “profileFolder/chrome/userChrome.css” file:
/* https://www.reddit.com/r/FirefoxCSS */
/* https://github.com/MrOtherGuy/firefox-csshacks */
@import url(urlbar_info_icons_on_hover.css);
@import url(page_action_buttons_on_hover.css);
@import url(compact_extensions_panel.css);
#urlbar-container:focus-within { min-width: 60vw !important; }
#navigator-toolbox .chromeclass-toolbar-additional { margin-inline: -2px !important; }
#unified-extensions-button { order: 1 !important; }
Well, Mozilla and Firefox are saved because of this and many other changes / ‘news’ in the past days!
A while ago they separated the “Firefox” brand from the “Firefox Browser” brand, now they are abandoning the Firefox brand? Or are they abandoning the Firefox Browser brand? I don’t know.
While that small change would make sense as standalone, it’s unfortunately done in a context where Google (and thus Mozilla) wants to get rid of the URL ultimately and just display search engine data on that bar, going on with that trend of the browser only being a search engine carrier.
Were users forced to use the same account for different Mozilla products ? Maybe those who want their news reading habits to be tracked and monetized by Mozilla Pocket do not want their e-commerce habits to be tracked and monetized by Mozilla Fakespot under the same identity ? This is really starting to look like a Google account. When I think that this Firefox account thing more or less started with just an end-to-end encrypted sync service where Mozilla could not access the data. Now they use accounts to monetize user data. Sigh.
There are probably still drones haunting the web claiming the highly repeated lie that “Mozilla does not even have user personal data” (meaning they only monetized the fuck out of every possible piece of sensitive private user data under other forms, without the risk of breaching GDPR). Well, sure they have, lots of that too.
“users who signed-in using Google or Apple credentials”
Wait, what ?