Language Selection

English French German Italian Portuguese Spanish

A New Vector For Hackers -- Firefox Add-Ons

Filed under
Security

Makers of some of the most popular extensions, or "add-ons," for Mozilla's Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.

By design, each Firefox extension -- any of a number of free software applications that can be added to the popular open-source browser -- is hard-coded with a unique Internet address that will contact the creator's update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.

Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).

As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.

Full Story.



More in Tux Machines

Security Leftovers

  • 66% of USB Flash Drives infected – don’t trust a stray [Ed: Windows]
    The problem is that the OS will automatically run a program that can install malware from a USB stick.
  • Dental Assn Mails Malware to Members
    The domain is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.
  • Slack bot token leakage exposing business critical information
    Developers are leaking access tokens for Slack widely on GitHub, in public repositories, support tickets and public gists. They are extremely easy to find due to their structure. It is clear that the knowledge about what these tokens can be used for with malicious intent is not on top of people’s minds…yet. The Detectify team shows the impact, with examples, and explains how this could be prevented.

Android Leftovers

Debian and Devuan

  • An Open Letter to Linas Vepstas
    The entire essay continues on a similar note. Although the title implies this is a rant about Ubuntu and Debian, he seems to paint the entirety of Linux Land with the same broad brush. And that would be factually wrong. "Factually wrong" doesn't mean he hasn't pointed out some serious problems. He has. I and many other Linux users see the same problems he identifies. What's "factually wrong" is that these problems are built into the combination of kernel, system software, and applications generally called either "Linux" or "GNU/Linux". And his implication that there's no reasonable way for a user to avoid these problems is also factually wrong. The bottom line of my objection to his essay is this: Nobody should use software they don't like, especially if there's a reasonable alternative. And by extension, why is Linas still using Debian and Ubuntu and systemd and Firefox and Chrome and Gnome? There are reasonable alternatives to every single one of them.
  • March and April contributions
  • My work for Debian in April
  • Free software activities in April 2016
  • Devuan Jessie 1.0 Beta Screenshot Tour

LinuxFest NorthWest 2016 and foss-north

  • LinuxFest NorthWest 2016
    I was at LinuxFest NorthWest 2016 last weekend. I’ve been going to LFNW for several years now, and I look forward to it every year – it’s just a great conference, which has managed to grow to nearly 2000 registrations this year while keeping its community/grassroots feel. The talks are always widely varied and interesting, and there’s a great feeling that you could run into anyone doing anything – I spent an hour or two at the social event talking to a group of college students who run a college radio station entirely on F/OSS, which was awesome.
  • foss-north – Schedule available
    Just a short update on foss-north – the schedule is up. We have a whole list of speakers that I’m super excited about and tickets are selling well. I still don’t know what to expect, but more than 1/3 of the tickets are gone and the sales numbers are actually even better for the full priced tickets than the early birds.