Flaws affecting popular Firefox extensions were disclosed by researchers at Black Hat Asia in Singapore. The reusable vulnerabilities were discovered by Northeastern Univeristy PhD candidate Ahmet Buyukkayhan and assistant professor William Robertson.
The attacks use functionality from non-malicious extensions to bypass Mozilla's security checks and use elevated privileges of extensions to access browsing history, passwords, and user information.
The team researched 2,000 Firefox extensions and found several Firefox extensions, including NoScript, Video DownloadHelper, and GreaseMonkey are affected. One of the extensions, NoScript, is a favorite extension commonly used to prevent malware infection by limiting code execution. These extensions have each been downloaded by millions of users.
Robertson is a co-director of Systems Security Lab at Northeastern University and a consultant at Lastline Labs.
There is no readily available patch for the extension vulnerabilities. It is suggested that users uninstall extensions. Mozilla did not reply to requests for comment by press time.
UPDATE: Mozilla replied to an earlier request for comment with the following statement from Nick Nguyen, VP of Product for Firefox:
“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.
“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative - our project to introduce multi-process architecture to Firefox later this year - we will start to sandbox Firefox extensions so that they cannot share code.”