CPUFreak91 Member Posts: 2337 From: Registered: 02-01-2005 |
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover. Read more of this story at Slashdot. ---- That's one reason why I don't use popular browsers (IE, Safari, FF) too much money in finding exploits and using them on millions of people. ------------------ "Oh, bother," said the Borg. "We've assimilated Pooh." "Socialism works great... if there are no people involved." -- Pastor David Ginter, Union Church of Guatemala. |
Faith_Warrior Member Posts: 490 From: So.Cal. Registered: 09-05-2006 |
I use FF almost exclusively other than konqueror occasionally. Before that I used Mozilla and before that Netscape. FF works fine without plug-ins, I only have the theme changed, that doesn’t update. No reason not to use it (not speaking of IE) just don’t make it insecure which is an obvious possibility when using 3rd party add-ons as with anything. |
Lazarus Member Posts: 1668 From: USA Registered: 06-06-2006 |
I only use one plug-in for FF - not that often either. In fact... I hardly ever actually use Firefox. *feels safe* |
Matt Langley Member Posts: 247 From: Eugene, OR, USA Registered: 08-31-2006 |
I use FF as well (all of GarageGames does), I only use the Firebug extension (for web dev and javascript debugging). ------------------ |