Researchers warn hundreds of popular Firefox browser extensions are vulnerable to attack that could give hackers control of Mac OS X and Windows computers.
Researchers from Northeastern University say the flaw is tied to Firefox’s support for an older browser extension platform and the Mozilla Foundation’s plug-in vetting process for its Firefox browser. Researchers presented their findings last week at Black Hat Asia.
“Attackers could write an extension that looks innocuous to anyone reviewing the plug-in. But once added to the Firefox browser, the benign looking extension could easily exploit a second Firefox extension to plant malware on the user’s computer,” said William Robertson, assistant professor at Northeastern University and one of four researchers who discovered the vulnerability.
In a report “CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities” researchers claim 2,000 Firefox extensions – including nine of the top 10 extensions – are exploitable via “extension-reuse vulnerabilities.” Researchers tested the desktop version of the Firefox browser running on Mac OS X and Windows platforms finding them both vulnerable.
“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia,” said Nick Nguyen, Mozilla vice president of product strategy, in a statement to Threatpost. “The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.” Nguyen said Firefox will start to sandbox Firefox extensions so that they cannot share code later this year.
Prevalence of so-called reuse flaws outside the context of web browsers is not new, Robertson told Threatpost. “We have just never seen a reuse vulnerability exploited within a browser extension like this,” he said.
Northeastern researchers said Firefox, unlike other browser extensions, does not isolate a browser add-on’s functions. That, researchers say, can allow an attacker to submit an extension through the Mozilla Foundation’s vetting processes that looks harmless. However, once installed the extension can work independently and leverage a second Firefox browser extension to function in ways it was never intended. That could allow an attacker to manipulate a second plug-in to allow the attacker to install malware on the Mac OS X or Windows computer.
“Extensions can often access private browsing information such as cookies, history and password stores, and also system-wide resources,” researchers wrote. “For instance, Firefox exposes a rich API to its extensions through XPCOM (Cross Platform Component Object Model) that allows nearly unrestricted access to sensitive system resources such as the filesystem and network. Consequently, malicious extensions, or attacks directed at legitimate extensions, pose a significant security risk to users.”
Researchers say the Firefox extension architecture allows JavaScript extensions installed on a Mac OS X or Windows system to share the same JavaScript namespace. That, it says, makes it possible for an extension to “invoke the functionality (or modify the state) of others.”
Robertson points to the reliance by Firefox on the older XPCOM framework, which does not isolate extensions, as the source of the problem. The Mozilla Foundation, he said, had planned to support the more modern Jetpack framework-similar to Google Chrome and Microsoft Edge browsers–that isolated extension modules from each other.
Instead, Mozilla Foundation announced late last year it would support the WebExtensions framework that would allow for add-on compatibility between Chrome and the Opera browsers. That project is still in progress. WebExtensions restricts browser add-ons modules interaction. Once the Mozilla Foundation announced plans to support WebExtensions, support for the Jetpack framework dwindled.
“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security,” Firefox’s Nguyen told Threatpost. “The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative – our project to introduce multi-process architecture to Firefox later this year – we will start to sandbox Firefox extensions so that they cannot share code.”
Robertson said that the Mozilla Foundation has been aware of Northeastern University’s research for “some time” and since then has been more vigilant in its evaluation of Firefox add-ons submitted for inclusion for the browser.
“Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures,” researchers wrote. “The malicious extension itself does not make any sensitive API calls or resource accesses, which allows the malicious behavior to stay hidden.”
Researchers say testing of extensions should require an analysis of how an extension candidate would interact with all other Firefox extensions, making the vetting process arduous. Vetting, researchers wrote, “would require covering the code from the entire extension pool available to Firefox users since the attack could utilize code from any and multiple extensions, which would considerably increase the complexity of the analysis task.”
As part of its analysis, researchers uploaded a proof-of-concept extension that passed a “fully reviewed” analysis. Robertson told Threatpost he is unaware of this exploit being used by malicious Firefox extensions.