back to article Top Firefox extensions can hide silent malware using easy pre-fab tool

The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests. The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate …

  1. Kurt Meyer

    Alternatives?

    I don't know for sure, but I'll guess that Pale Moon suffers from the same or similar flaw(s), since its extension model is identical, as far as I know. So, Midori? Qupzilla? SRware Iron? Chromium? ELinks?

    1. frank ly
      Happy

      Re: Alternatives?

      Living on the Edge? They're going to give it extensions.

  2. Anonymous Coward
    Windows

    Today I learned 22 million people didn't get the memo that adblock plus went to the dark-side, and uBlock origin is where it's at.

    1. Anonymous Coward
      Anonymous Coward

      Provide link to memo!

      1. Anonymous Coward
      2. Florida1920

        @AC

        Provide link to memo!

        I'm not the only one who has been pushing uBlock Origin over ABP lately. Maybe if you take off the mask you'll notice more. Last week in this topic I said

        Adblock is so 2015. Those in the know have long since migrated to uBlock Origin.

        And got four downvotes!

        Less than two weeks ago, I positively mentioned uBlock Origin twice in this topic..

        We're trying, mate, but you have to help yourself, too.

    2. Ceiling Cat

      This is funny, because once I opted out of Whitelisted advertising through Adblock (they even tell you how to disable it in the iinstaller, ffs), I really haven't noticed a difference in operation between Ublock and AdBlock Plus.

      I also opt out of the whole debate about the ethical factor of paid whitelisting. I would have a stronger opinion if AdBlock Plus were the only ad-blocker available, but it's not. As it is, I use both, depending on the install. For Example, i used UBlock on my Lubuntu install, but I can't be bothered to switch on my main machine. My wife's Kubuntu box got whatever I felt like installing (ABP, I think), and it seems to work just fine. The machine I built for my co-worker got Ublock, because he doesn't care which I put on as long as it blocks most ads.

      Wish I could get ABP op UBlock for my tablet's default browser. Makes browsing the web a bit of a chore having al that extra crap on the page.

      1. Phil Kingston

        Block for all your kit in your DNS server. Done. Also for tablet.

        1. Anonymous Coward
          WTF?

          "Block for all your kit in your DNS server. Done. Also for tablet."

          Because everyone has a DNS server...FFS

          1. Someone_Somewhere

            Re: Because everyone has a DNS server...FFS

            Easy to set up.

            And free, if you use linux/BSD.

            You could even dedicate some resources on a Pi to it - along with a dedicated firewall and web proxy.

            Just because /you/ don't, doesn't mean no-one else /could/ (or /should/) ... FFS.

    3. Doctor Syntax Silver badge

      And today we learned that massivelySerial hasn't realised that ABP has a facility to turn off whitelisting.

      I looked at uBlock. It blocked more than ads. Specifically it was blocking the videos of weather forecasts on the Beeb's site. It was removed forthwith & ABP was back with whitelisting turned off.

      1. Charles 9 Silver badge

        "Specifically it was blocking the videos of weather forecasts on the Beeb's site."

        You know uBlock Origin has a very obvious "Off Button" you can use to turn it off on a per-site or per-page basis if you need it? It's kinda necessary when ad content and legit content are fed off the same server, creating a part-and-parcel problem.

      2. Baskitcaise

        beeb?

        (Specifically it was blocking the videos of weather forecasts on the Beeb's site.)

        Works fine here just whitelist the beeb in ublock.

    4. Halfmad Silver badge

      Even if Adblock hadn't, Ublock is simply miles better anyway.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    This mess of an article still doesn't explain WTF is going on?

    So there are extension which pass Mozilla's holey vetting process and use other extensions to hide their malicious behaviour. Or something? And if, so, how.

    1. Anonymous Coward
      Anonymous Coward

      Re: This mess of an article still doesn't explain WTF is going on?

      I'm glad it's not just me. I think you're right - it isn't that the likes of NoScript contain any malware, but rather that their use can be subverted by dodgy extensions.

      So, if I only have one extension - NoScript, as it happens, and don't install anything else, there is no problem.

      And if so, I'll stick with Palemoon for now.

      1. Anonymous Coward
        Anonymous Coward

        Re: This mess of an article still doesn't explain WTF is going on?

        That's the way I interpret what they've said. I'd call it a trojan-extension vulnerability. You have to go out and grab the extension from either off-Mozilla source (and forcefeed that in) or you have to download an extension that Mozilla says is okay but has internals that have been vetted as good but isn't.

        Frankly, I've always paid attention to who author is and I keep it lean on the add-ons.

      2. Doctor Syntax Silver badge

        Re: This mess of an article still doesn't explain WTF is going on?

        "And if so, I'll stick with Palemoon for now."

        But as the first comment says, Palemoon probably has the same problem. After all it was a fork of the Firefox of some time ago.

        1. Anonymous Coward
          Anonymous Coward

          @Doctor Syntax - Re: This mess of an article still doesn't explain WTF is going on?

          Yes, Palemoon has the same problem and, I suppose, will continue to have it for a lot longer than Firefox.

          I was trying to acknowledge that point, and at the same time conclude that the risk is containable - provided that I don't install any extensions other than NoScript. As it stands, NoScript is all I need or use beyond the basic fit (both for Palemoon and for Firefox - when I occasionally use it).

          1. Someone_Somewhere

            Re: NoScript is all I need

            If you add RequestPolicy to your repetoire, you'll find that (in my experience) at least 7/10 times you don't even need to enable a single script, just a cdn (or local domain-hosted images) to see all you need to - I find that (almost) the only time I need any scripts is when I want to do anything that rquires a login (like replying here for instance).

    2. MrT

      Re: This mess of an article still doesn't explain WTF is going on?

      Exactly my thoughts - no link to source material either. At one point the message is "don't trust extension writers", then it's "some are okay", but in parts it looks more like malware is riding in under the cloak of the extension, as if it's nicking a session ID, or that it's replacing the regular extension in the library with a fake version.

      If the conclusion is to trust AdBlock more than NoScript... ... oh dear. I'd rather trust NoScript than the ad-slingers and analytics trackers. It's almost as if the research was funded by those behind DoubleClick or AdBlock - wouldn't surprise me if uBlock Origin was also found wanting...

      FUD.

    3. Dr Paul Taylor

      Re: This mess of an article still doesn't explain WTF is going on?

      Please can we have some clearer analysis of whether NoScript is safe or not. I block all Javascript unless I can't get away without it, because I don't want every Tom Dick and Harry's code running on my computer.

    4. JLV

      Re: This mess of an article still doesn't explain WTF is going on?

      Yeah, felt like a mental midget as well. What is noscript's role in all this? Someone can upload a malicious clone of it somewhere? Or someone can write a different extension that taps into legit noscript to hack you?

      I agree with the poster that the less you install the better off you are and only do it for large volume use stuff. Let other kids take point in landmine country. That model is true for PCs, smartphone apps, JS n Python modules, browsers. I do tend to trust Linux and macport official repos though.

  4. Anonymous Coward
    Anonymous Coward

    NoScript = Tor browser bundle

    I haven't heard of NoScript before, yet it has 2.5 million users? A quick search says its in the Tor browser bundle, so they will be Tor users.

    https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Tor_Browser

    "Tor Browser, previously known as Tor Browser Bundle (TBB), is the flagship product of the Tor Project. It consists of a modified Mozilla Firefox ESR web browser, the TorButton, TorLauncher, NoScript and HTTPS Everywhere Firefox extensions"

    But that would also explain one of the unknown Tor attack vectors, from the story last week.

    1. Intractable Potsherd Silver badge

      Re: NoScript = Tor browser bundle

      I can't work out whether you are being serious, AC. However, in case you are (after all, there is a first time to find anything, even it is well-known), NoScript is a very well-known and trusted script blocker for Firefox and its forks: https://noscript.net/. I have been using for years, and I suspect I heard about it on these here fora - the list of comments runs to ten pages: http://forums.theregister.co.uk/post/search/?q=noscript&sort=score&page=10.

    2. Doctor Syntax Silver badge

      Re: NoScript = Tor browser bundle

      "I haven't heard of NoScript before, yet it has 2.5 million users? A quick search says its in the Tor browser bundle, so they will be Tor users."

      Where did you search? If you use your browser's search for extensions options you should find it there. Tor might bundle it but lots of us use it without using Tor. I'm surprised the count is as low as 2.5 million. You seem to have much to learn.

    3. frank ly

      Re: NoScript = Tor browser bundle

      A quick search tells me that Firefox is in most Linux distributions. So, Firefox users run Linux - obviously.

    4. x 7

      Re: NoScript = Tor browser bundle

      " A quick search says its in the Tor browser bundle, so they will be Tor users."

      Thats the kinds of bollox you get if your first line of research is wiki

      it may be in the TOR browser, but thats just a tiny part of its use. Its a script blocking extension for Firefox.

      Its available for download from https://addons.mozilla.org/en-GB/firefox/addon/NoScript/

      the authors webpage is at https://noscript.net/

      jts a good program, though using it can get tiresome due to the amount of interaction it requires to view many siters

    5. John Brown (no body) Silver badge

      Re: NoScript = Tor browser bundle

      "I haven't heard of NoScript before, "

      Really? New to IT or something? It's usually one of the Top Picks if you go to the Firefox add-ons page

      As for Tor, no. NoScript is included with and used as part of the Tor Bundle, yes, as are many other useful tools and utilities which are nothing to do with Tor per sè. NoScipt is a separate and standalone project and nothing to with the Tor project

  5. This post has been deleted by its author

    1. Charlie Clark Silver badge
      Thumb Down

      I've said this time and time again. Core funcionality should be built into the browser rather than relying on, "plugins", for just about everything.

      Well, have a prize for being the most self-righteous prick of the day!

      The vulnerability here described stems from the way XUL provides access to core functionality. It is, however, pretty esoteric and requires considerable social engineering in order to be exploited. Furthermore, while I'm no fan of the XUL approach, we're talking about an architecture that it is 15 years old and is already side-lined for replacement with a sandboxed, but less capable one.

      As for core browser functionality: I'm more worried about browsers being able to spaff my location or access microphone and camera than I am about this, because if the browser itself can be compromised, and this seems more common than compromised extensions, it can spew far more information.

      1. This post has been deleted by its author

      2. Mark 110

        Whats on your camera???? Is it fun??

    2. Doctor Syntax Silver badge

      @ 1980s_coder

      That depends on what you understand by core functionality. We started out with a very limited functionality. The server provided minimal tags to describe the content and the client was left to do layout. The most objectionable element of the whole lot was probably the blink tag. PDQ marketroids and the like took over and demanded more & more control over the appearance of the displayed page. Hence we got CSS, Javascript, cookies, Java applets, Flash & whatever other crap escapes me for the moment. The browser became less of a client to display what it was sent and more of a remote execution platform. No wonder it's riddled with vulnerabilities. The "core functionality" has grown and part of the need for extensions is to block some of it.

      I'm not against the idea of a core without extensions but it would have to be smaller than the present core, not bigger. It would have to be small enough to be safe - i.e. a remote display platform, not a remote execution platform and web sites need to adapt.

      However the original concept of the web is now so seriously broken and I can't see how it can be fixed. Any browser attempting to go back to an intrinsically safe core would break so many sites it would be rejected by users. The browser authors should have said "no" when the first requests to subvert the original concept came in and they should have kept saying "no".

      1. Dr Paul Taylor

        However the original concept of the web is now so seriously broken and I can't see how it can be fixed.

        and the rest of the post - my thoughts entirely.

        I want a "browser" that treats every incoming byte as possible malware/spyware, shows me the pure information content and sends nothing back to the source.

        1. Charles 9 Silver badge

          "I want a "browser" that treats every incoming byte as possible malware/spyware, shows me the pure information content and sends nothing back to the source."

          Then how do you do things like interactive whiteboards, running stats/scores/whatever or a shopping cart where the URL doesn't give the works away each time? Surfers want two-way content, and you can't do that on a one-way web.

  6. Anonymous Coward
    Anonymous Coward

    "Mozilla already maintains a list of malicious extensions which sports 161 blacklisted items [...]"

    A link would have been useful. Presumably it is this one?

    https://addons.mozilla.org/en-GB/firefox/blocked/

    Can't find the Selenium VBA Web Driver that it disabled last week on 45.0.1 - but it is not in the allowed extensions either.

  7. Doctor Syntax Silver badge

    More info needed

    1. Was this disclosed to the extension authors with sufficient time for them to produce fixes? If not it's an irresponsible disclosure.

    2. Is this a vulnerability which can be exploited by simply browsing a malicious site or does the user have to be tricked into doing something active?

    3. If the latter what should we avoid?

    1. Anonymous Coward
      Meh

      Re: More info needed

      "1. Was this disclosed to the extension authors with sufficient time for them to produce fixes? If not it's an irresponsible disclosure."

      It's a black hat conference, so probably not.

      1. Doctor Syntax Silver badge

        Re: More info needed

        "It's a black hat conference, so probably not."

        Given that the authors were a PhD student and an academic I'd have expected a degree of responsibility if only to avoid the risk of class action suits on their universities.

  8. Digitall
    WTF?

    I call BULLSHIT!

    I don't claim to be an expert but, this seems to me to be an undermining attempt to get surfers to abandon something that works. (Fear is the key which seems to work in this age)

    So using Tor with noscript and https everywhere is unsafe? yeah right..

    I'd be more worried about the avenue Microsoft is pursuing and what the future holds for privacy and the impending data breach of YOUR data on THEIR systems.

  9. Elmer Phud
    Pirate

    No Script?

    Considering the bandwidth used on these pages where we are regaled by NoScript fans, the irony is big with this one.

  10. This post has been deleted by a moderator

  11. David Roberts
    Facepalm

    Messy article, messy comments.

    As far as I can tell someone has demonstrated that a malicious extension can hijack reputable extensions and do bad things (the implication being that reputable extensions have the power to do bad things but don't ).

    For context, some of the most popular (vulnerable) extensions were listed.

    Cue commentards promptly slagging off various extensions, apparently missing the point that you also need to install the malicious extension for harm to happen.

    Isn't the real message that the extension framework in Firefox is unsafe by design so be very careful about adding extensions?

    Just to join in the general slagging off, I've given up on Firefox on Windows and Android because it is so bloated and slow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020