Wednesday, May 30, 2007

Google, Yahoo and Facebook extensions for Firefox put millions at risk of attack

Everyone loves Firefox right? So much better than IE, so much more secure? However, this morning it has been revealed that literally millions of Firefox users are at risk from a remote vulnerability attack if they are using Google, Yahoo and Facebook extensions.

Firefox extensions allow you add a myriad of cool stuff to your browser, and when the products need to be updated Firefox tells you so and you click update if you want too. This is not the case for users of Google, Yahhoo and Facebook extension, along with a number of anti-phishing extensions. For these updates a non-encrypted connection is used to execute code without the users permission or even knowledge.

Independent security researcher, Christopher Soghoian, and Indiana University student published the vulnerability this morning after having waited 45 days from alerting software vendors in line with self-governing disclosure code. Currently none of the major corporations has issued a an update fix to close the security hole.

The problem stems from the potential for a "man in the middle" attack on any users who are connected to a untrusted network (for example public wifi) or where their router has been compromised because of failing to change default passwords. The vulnerabilty means that a malicious hacker could redirect traffic for extensions updates to their own malware and execute it on users local machines in the background in complete silence.

A Quicktime demo of the attack has been posted here.


Guido Faux said...

Of course simply running Firefox instead of IE on Windows is putting lipstick on the pig.

Caroline Hunt said...

Do I need to stop using my Facebook extension then? I would be very sad if I had to :(

dizzy said...

It's a question of risk really.