Language Selection

English French German Italian Portuguese Spanish

A New Vector For Hackers -- Firefox Add-Ons

Filed under
Security

Makers of some of the most popular extensions, or "add-ons," for Mozilla's Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.

By design, each Firefox extension -- any of a number of free software applications that can be added to the popular open-source browser -- is hard-coded with a unique Internet address that will contact the creator's update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.

Mozilla has always provided a free hosting service for open-source extensions at addons.mozilla.org. But many third-party makers opt to serve updates on their own, using servers that often transmit the updates via insecure protocols (think http:// instead of https://).

As a result, if an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore -- a fairly trivial attack given the myriad free, point-and-click hacking tools available today -- he could also intercept this update process and replace a Firefox add-on with a malicious one.

Full Story.



More in Tux Machines

Operating System U Fails To Live Up To Its Goals

After launching last month on Kickstarter, the project has turned into a failure and all development has ceased. Operating System U by Andrew Bernstein only raised $1,948 of its $50,000 goal over the month-long period for the OS that claimed numerous advantages over Ubuntu and Windows 8. Andrew then posted, "Unfortunately OS U was unsuccessful. I truly, truly appreciate everyone who backed us, but unfortunately since we where unsuccessful, combined with other circumstances, OS U will not have any more continued development." Read more

Calculate Intro, OpenMandriva Review, and Mageia Delay

Today in Linux news Jessie Smith has a nice article on Gentoo-derivative Calculate Linux 14 in this week's Distrowatch Weekly. Linuxbsdos.com has a review of OpenMandriva Lx 2014.1, released last week. Mageia 5 Beta 1 is delayed and openSUSE 11.4 is "truly, finally dead." We have all this and more in tonight's Linux news recap. Read more

Early Morning Linux Voodoo at Denny’s

I could tell that he wasn’t comfortable turning over control of his laptop to a stranger, but after a few seconds I got a slight nod to the affirmative. I pulled the Acer over to my part of the counter and booted the Linux Mint KDE LTS I keep for just such purposes. As the computer accepted the DataStick as the boot option, I explained to Ed what I was doing. It was obvious he had no idea what I was talking about so we waited in awkward silence for the next few seconds. Finally, the Mint logo appeared on the screen. I opened Dolphin and located the Windows drive then asked him for the name of the file. He couldn’t remember but was sure it was a PDF. A few minutes later, I pulled a pen from my pocket and wrote down the number he needed and slid it back over to him with his laptop. Read more

Leftovers: Proprietary Software and Command Line