General Discussions

Hijacking Firefox Via Insecure Add-Ons – CPUFreak91



Posts: 2337
Registered: 02-01-2005
An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.
Read more of this story at Slashdot.


That's one reason why I don't use popular browsers (IE, Safari, FF) too much money in finding exploits and using them on millions of people.

All Your Base Are Belong To Us!!! chown -r us ./base
"After three days without programming, life becomes meaningless.'' -- Tao of Programming Book 2

"Oh, bother," said the Borg. "We've assimilated Pooh."

"Socialism works great... if there are no people involved." -- Pastor David Ginter, Union Church of Guatemala.

My Programming and Hacker/Geek related Blog



Posts: 490
From: So.Cal.
Registered: 09-05-2006
I use FF almost exclusively other than konqueror occasionally. Before that I used Mozilla and before that Netscape. FF works fine without plug-ins, I only have the theme changed, that doesnít update. No reason not to use it (not speaking of IE) just donít make it insecure which is an obvious possibility when using 3rd party add-ons as with anything.


Posts: 1668
From: USA
Registered: 06-06-2006
I only use one plug-in for FF - not that often either. In fact... I hardly ever actually use Firefox.

*feels safe*

Matt Langley

Posts: 247
From: Eugene, OR, USA
Registered: 08-31-2006
I use FF as well (all of GarageGames does), I only use the Firebug extension (for web dev and javascript debugging).

Matthew Langley
Lead Documentation Engineer