Firefox Extensions: Ripe For Exploitation?

Do you think you are safe with Firefox? In general, I would agree with you. But at the same time, I would also point out that there is a fairly sizable security concern that may be addressed, as effectively as some security experts might like. It’s called the Firefox extension.

C’mon, Just How Likely is All of This?
As pointed out in this recent piece, it can be done from most local Wi-Fi hotspots with the proper know how, and of course, the desire to do the dastardly deed. By the same token, let’s examine what is involved to make this threat a reality for the causal Firefox user.

According to the Washington Post, the most likely method of attack would be to intercept an update to one of the extensions, thus offering something malicious in its place. Possible? Sure. Likely? Not in a million years and I’m going to tell you why. It would be a lot simpler to use a clever phishing scheme to target a critical mass of people, get them to a false download Web site, and then have them "reinstall" what they consider to be a useful extension.

Since everyone is always talking about how safe and fantastic Firefox is (true, of course), the casual user who does not understand the threat of a phishing attack is likely to believe anything that comes to them via email and appears to be from Mozilla. In the end, it is just a lot easier, be it still using the extension as a culprit.

Firefox Extension Security Needs a Reevaluation?
Now there is one area in the Washington Post article that I wholeheartedly agree with and that is the fact that data transmission for Add-ons (extensions) is painfully insecure and could potentially give the "bad guys" a friendly backdoor into your system. Not only is this a valid theory, but there has been some proof-of-concept research done to backup these security concerns as well.

What is even more frightening is the fact that no one seems to require any solid changes before the Firefox extension bubble comes crashing down around it. Again, I will agree that it remains highly unlikely from a "hotspot," but with the proper bait-and-switch moves in place, it could be done quite effectively. It’s just too bad that no one from Mozilla seems to be concerned about it… yet.

Taking a Step Further: Debian-Based Repositories.
Consider the magnitude of Ubuntu users (as Debian users are generally more experienced) that blindly add package repos without a care in the world. They find a new application mentioned on a Web site someplace, see that they simply need to gedit their way into things with a little "cut and paste" action and bam - they just open up a huge door into their system.

How is this possible? Even though Ubuntu package manager clearly explains that the new repositories you just added cannot be verified as "safe," people use them without a second thought. Think I’m nuts? I know of three old school Linux gurus who do this, in addition to myself. It’s just something that we take for granted. And eventually, it could spell trouble as various Linux distros continue to gain in their popularity.

Face It, We’ve Become Complacent.
Even people who consider themselves to be "experts" with various Linux distros can fall victim to a false sense of security by not using their common sense.

What is even worse is my fear that we could be setting a poor example should the security of rouge repositories become a problem. We might be able to spot trouble before it becomes an issue, but what about those who learn from us? It’s something to consider, both with regard to trusting blind links to xpi files that are used to install Firefox extensions as well as the bounty of repositories that are just waiting to be added instantly with no thought.

Remember, this may not be a problem today, but this certainly is not an invitation for sloppy behavior, regardless.

This article has been republished with the kind permission of our friends at Mad Penguin. For more news about the Open Source community, go give ‘em a look or Subscribe to Mad Penguin’s RSS Feed!

Related Articles @ Mad Penguin:

• What Netflix Needs is Linux
• Moonlight Overview: An OSS Alternative to Silverlight
• Dell vs. System76 Ubuntu Comparison
• Top Linux Misconceptions
• Ubuntu’s Restricted Driver Dialog Roundup

[tags]Linux, Open Source, money from Open Source, capitalizing on Open Source, Linuxfest[/tags]