IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

This Firefox add-on forces other extensions to steal your data

Millions of Firefox users face brand new attack

chrome and firefox

Firefox extensions are exposing millions of users to a new bug capable of stealing sensitive data, it has been claimed.

An attacker can create a malicious add-on for Mozilla's web browser, which can then disguise its nature by forcing a legitimate, existing add-on, to do its dirty work for it, reports Ars Technica.

The flaw, dubbed an extension reuse vulnerability by the researchers who revealed it at the Black Hat security conference in Singapore, is able to do this because Mozilla has not isolated add-ons in its browser.

This means the bug can take advantage of vulnerabilities in other add-ons a user has enabled, and route its attacks through them instead.

These buggy add-ons include NoScript, Video DownloadHelper, FlashGot and Firebug, the researchers wrote in the paper.

The extensions send the user to malicious websites, or force them to download malware.

As quoted by Ars Technica, the researchers said: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks.

"Malicious extensions that utilise this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

However, it does rely on a user first downloading the malicious add-on, as well as having buggy extensions already enabled on their browser.

Mozilla admitted to Ars that such a bug would work in its Firefox browser, adding: "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

19 Jul 2022
Firefox 95 boosts protection against zero-day attacks
web browser

Firefox 95 boosts protection against zero-day attacks

7 Dec 2021
Mozilla to end support for Firefox Lockwise password manager
web browser

Mozilla to end support for Firefox Lockwise password manager

24 Nov 2021
Firefox available on Microsoft Store for first time
web browser

Firefox available on Microsoft Store for first time

9 Nov 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022