"... The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests. The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality.... ...The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users........" http://www.theregister.co.uk/2016/04 /04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/
Hmmm.... https://www.blackhat.com/asia-16/br...on-of-firefox-extension-reuse-vulnerabilities which one do you want to remove also?...please Full report https://www.internetsociety.org/sit...s-firefox-extension-reuse-vulnerabilities.pdf
I have to say that I didn't understand it, more info is welcome. But I guess in order to exploit this stuff you first need to be able to convince people to install the evil extension. That's why I always advice to install as few extensions as possible.
Well ... I only have six extensions anyway lol, and I really only use Firefox on Linux (Ubuntu). Hopefully I'll be OK
@emmjay - you are not alone there . There's way too much " maybe" , "could be " , "might be " in the article . It looks to me like a "proof-of-concept " , and a fairly vague one at that ! Any evidence of actual exploits in the wild ? And as for NoScript in particular , Giorgio Maone is clearly a very smart and skilled guy . Update cycles for NoScript are fast and frequent and I'm confidant that these reported vulnerabilities will be quickly assessed.
I think the way to handle extensions and plugins is to install as few as possible, only install the ones you use on a regular basis and only install the ones that are well known and popular. Thats what I have been doing for a long time and seems to work. Bo
Here is another explanation, with a link to the original research report. The report is rather dense, and probably only the developer types will be able to decipher it. The problem is a flaw in the legacy Firefox extension platform: https://threatpost.com/firefox-add-on-flaw-leaves-apple-and-windows-computers-open-to-attack/117183/ "Firefox extensions share the same JavaScript namespace – in other words, every extension installed on a system can freely access all of the JavaScript names defined in the global scope by each extension. This problem has been identified by the Mozilla community in the past, and it has been recommended that each extension define its own namespace to avoid JavaScript name collisions. However, the security implications thereof has been left largely unexplored so far. In particular, this shared JavaScript namespace makes it possible for extensions to read from and write to global variables defined by others, call or override all global functions, and modify instantiated objects." "Recently, Mozilla developed an alternative framework for extension development, called the Add-on SDK, as part of the Jetpack project ... ... as of October 2014, 12.0% of the top 2,000 Firefox extensions are developed using the Jetpack framework, while the remaining 88.0% are legacy extensions. While these results indicate that the adoption of the Jetpack framework may be increasing, a clear majority of the top extensions are still using the legacy extension development methods." "In addition, our experiments with vulnerable Jetpack extension show that, even though Jetpack extensions have a narrower attack surface compared to legacy extensions, they are not immune to extension-reuse attacks." The NoScript forum has this thread on the topic: https://forums.informaction.com/viewtopic.php?f=19&t=21795 Of course, Mozilla is currently developing [target for Firefox version 48] an entirely new extension API: https://wiki.mozilla.org/WebExtensions
I have read it, and I now understand. It's basically a security flaw in the current FF extensions architecture. They will fix this in newer FF versions when they switch to a different extensions model. But I've always said that browsers give way too much power to extensions, which can be a huge security risk.
I'd take the "power to extensions" approach any day over the "walled garden" one, even if it leads to some vulnerabilities like the one described in the article. The reason is that vulnerabilities can usually be solved or mitigated, but if the extensions developers or users are not allowed enough freedom, that cannot be changed so easily.
For me , that's the key thing to watch right now , and I reckon NoScript will be on top of it very quickly . Thanks for the link , it's an ongoing topic in that forum . In the meantime , I see no reason to change anything regarding FF and/or NoScript. Has anyone here read a reliable report of this exploit in the wild ?
Well, it depends, too many restrictions is not good either, but extensions should not have access to sensitive data. And this specific problem can only be solved by making the extensions system more strict, but I don't know if capabilities of future extensions will be limited.
Yes! That was some informative reading. It appears to be very good news that the NoScript developer has taken a strong interest in getting his extension ready for the new API. The biggest loss may be to the interesting legacy extensions that were developed for Firefox only, have no Google Chrome version, and are no longer actively supported. Giorgio Maone (NoScript dev) mentioned in one post that any extensions with a Chrome counterpart could be easily ported to Firefox with the new WebExtensions API. https://developer.mozilla.org/en-US/Add-ons/WebExtensions https://wiki.mozilla.org/WebExtensions/FAQ
From what I have seen on the topic, they seem to be trying to solve both issues. Giorgio has proposed "native.js" to "embrace & extend" the WebExtensions API as a workaround to give devs some more latitude beyond the "strict" API. https://discourse.mozilla-community...-to-embrace-extend-the-webextensions-api/3457
Sensitive data would include URLs, hostnames, headers, page content, script content, cookies and other storage, user input, etc. The ability to inspect such things, and perform outright blocking and/or more selective threat mitigation steps, allows us to dramatically improve security/privacy while we use the browser.
Yes good point, but I still believe that extensions should somehow be more restricted by the browser. Of course I can't tell you how exactly, since I don't have the expertise and it's a bit complex as you noted. But fact of the matter is that extensions have a whole lot of power, perhaps too much. In theory they can do stuff like keylogging and stealing passwords. You might also want to read a report called: "Abusing, Exploiting and Pwning with Firefox Add-ons", look for it on Google.
CrossFUD: an Analysis of Inflated Research and Sloppy Reporting Giorgio Maone's comment on this matter.
Also don't forget about this: http://observer.com/2015/11/chrome-extensions-are-bypassing-ghostery-and-other-tracking-blockers/
Indeed. In older Chrome versions uMatrix was able to control the behavior of other extensions but, unfortunately, this has changed.