<<< Date Index >>>     <<< Thread Index >>>

Re: Evil side of Firefox extensions



>This is definitely a good idea, although I don't think it should be a
>compulsory feature (optional would be nice). If more people than just you
>have access to a machine at the end of the day there's no way to guarantee
>security. This is just another method of stealing information like a
>keylogger would (although admittedly, more intelligent).
>This isn't so much a bug as it would be user error (in my opinion), you

I didn't tell it's a bug.

>choose what extensions you want to install and if you're foolish enough to
>install an extension from an untrusted source then you can expect horrible
>things to happen.
>

I was primary talking about the internet clubs. FFsniFF was tested on _one_
computer in local internet club: About 30 sniffed accounts (mostly mail and
chat accounts) in two days.
There are also another ways how extensions can be installed into your browser.
For example by a some kind of viruses.

The only thing which I wanted to say is that there should be a way how to 
disallow
installation of extensions by anyone.

>Henri
>henri[at]theplayboymansion[dot]net
>
>> Background
>> ----------
>> Firefox is very popular and secure web browser. Until now, it is used by
>> milions of people and thousands of internet clubs. One of the great
>> features of
>> Firefox are extensions. You can use them to create things inside your
>> browser
>> which are beyond your imagination. But everything has an other side..
>>
>> Overview
>> --------
>> Writting a powerfull extension is extremely simple process. Extensions are
>> allowed to do _everything_ with your browser: They can change the skin,
>> block
>> banners on pages or even create network connection and send data through
>> it to
>> the internet. The worst of all is that _anyone_, who has physical access
>> to
>> your computer, can install extensions into your browser _without_ your
>> notification.
>>
>> As an example, I created a simple html form sniffer. You can download it
>> here:
>> http://azurit.gigahosting.cz/ffsniff/
>>
>> It was tested only with Firefox 1.0.x and 1.5.x .
>>
>> FFsniFF is a simple Firefox extension, which transforms your browser into
>> the
>> html form sniffer. Everytime the user click on 'Submit' button, FFsniFF
>> will try
>> to find a non-blank password field in the form. If it's found, entire form
>> (also
>> with URL) is sent to the specified e-mail address.
>>
>> Solution
>> --------
>> I think that the solution for this should be in the ability of locking the
>> installation of extensions with a password. Every user will be able to
>> read hash
>> of the password (so the browser can verify it) and only system
>> administrator
>> will be allowed to change it (it can be stored for example in registers
>> [Windows] or somewhere in /etc dir [Linux]).
>>
>>
>> azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk
>>
>>
>>
>>