3rd-party installation
You have probably already have encountered applications, like the Flash player or some repackaged free software, that wants you to install a toolbar or some spyware/adware for your browser. This is a 3rd-party installation of an extensions. For Firefox, this installation consists of copying the browser extension into your Firefox profile (or a special folder that contains extensions shared by all profiles).
 |
| Software installer contains a toolbar/adware/spyware extension |
Firefox protects against this type of external extension installation by prompting the user the next time the browser is started - the user has the option to disable (default action) or enable the new extension.
 |
| Firefox warning for an extension installed outside of the browser |
Silent installation
It is actually very easy to bypass the warning from Firefox. Firefox stores information about all extensions in a Sqlite3 database named extensions.sqlite, located in each Firefox profile. It contains:
- name, version, description, etc.
- enabled or disabled
- active or not
- installed from official Mozilla extension site or not
 |
| extensions.sqlite |
When Firefox starts, it checks the list of extensions under
Demonstration
I've written a small program that installs an extension silently into any Firefox profile. You can download the program and the extension here, and the source code there.
The program was written in C# and can be compiled with the free Visual Studio Express for .Net from Microsoft.
 |
| Tool shows the steps to install the extension silently |
The "malicious" extension does not actually do anything. All the malicious code has been commented out, although it includes some of the things an attacker could do, such as:
- steal the list of logins and passwords saved
- send out all the URLs visited by the user
- disable security features
I suggest that you create a custom profile to test the extension. To create a new profile named "demo", run the following command:
firefox -CreateProfile demo --no-remote
Then start Firefox with your new profile:
firefox -P demo --no-remote
I've included a video that shows the silent installation in case you're fearful of trying it for yourself:
Why it matters
Many free software packages push toolbars, adware and spyware into Firefox and other browsers, installed as part of their installation to earn some money for the extension creator (see previous PPI campaigns). Firefox gives users a chance to explicitly and clearly decide whether or not they want to enable these add-ons. Without this protection, many users can be tricked into running extensions they were are not aware of.
The second important point is that malicious browser extensions are much harder to detect once installed. Because extensions are part of the browser, their activity cannot be differentiated from the activity of the browser. Accessing the internet and accessing the file system are legitimate actions for the browser. The extension does not need to add itself to the startup scripts, or as a Windows service to be running after a computer reboot. The extension does not need to hook into Windows to intercept logins and passwords, etc. Finally, AV vendors struggle with detecting malicious JavaScript and any of the malicious Firefox extensions I've checked with VirusTotal were never flagged.
Going further
The silent installation could be even more sneaky. Instead of adding a new extension, it could also replace an existing extension, or append itself to an existing extension.
Posts
10 comments:
Of course this mechanism is easy to bypass. Mozilla has always known and accepted this. I think the idea is that if addons are spotted in the wild that circumvent the user dialog, they will be blacklisted. Malicious extensions can then resort to use random IDs, etc. It is a war no browser can win. If malicious software has control over a user account the browser profile (and documents, shortcuts, etc, etc) can be infected.
Instead of stating the obvious, why don't you offer some suggestions on how to improve this feature.
Of course this mechanism is easy to bypass. Mozilla has always known and accepted this. I think the idea is that if addons are spotted in the wild that circumvent the user dialog, they will be blacklisted. Malicious extensions can then resort to use random IDs, etc. It is a war no browser can win. If malicious software has control over a user account the browser profile (and documents, shortcuts, etc, etc) can be infected.
Instead of stating the obvious, why don't you offer some suggestions on how to improve this feature.
yes, i was wondering what your solution is as well.
for me, i just use linux and don't run random executables off of the web, which solves the problem.
after being in the open source world for more than a decade, i am sometimes amazed that software vendors expect users to allow them to run random code on their computer as an administrator. it is really bizarre that people give unknown people full access to their computer. (and yet again lots of people give their email and facebook passwords to random websites who promise to "only look at their friends' contact information, etc)
Hi, It looks like you're reinventing the wheel tbh - malware authors target browsers for a long time (banking trojans mostly). The SQLite method is ok as long as they don't alter the db layout etc. The more generic method is actually to change privilege levels and allow FF to install extension but it's own from specific location by changing prefs.js.
Hi, It looks like you're reinventing the wheel tbh - malware authors target browsers for a long time (banking trojans mostly). The SQLite method is ok as long as they don't alter the db layout etc. The more generic method is actually to change privilege levels and allow FF to install extension but it's own from specific location by changing prefs.js.
This is not a security issue in firefox.
You're basically backdooring firefox. But to backdoor firefox you require the ability to run an arbitrary executable on the machine.
What's the point of backdooring firefox if you've already got your executable running on the machine?
By that point you've already won.
This is no different from saying firefox has a security issue because I can reverse engineer it to run a DoS attack on a server and *as long as I can get someone to run my executable on their system that installs this version of firefox*.
I saw this in the wild. Spy/adware package.
Firefox is a cross platform attack vector, Windows, Linux, whatever...;)
So, how do you view the sqlite3 db in firefox to check your extensions?
firefox is a cross-platform attack tool, Windows, Firefox, whatever...
So, How do you view your sqlite3 db in firefox to check the extensions?
@Dave Sharp: you can use SQLite Manager (https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/) to view your databases within Firefox
Post a Comment