

Firefox browser users love the myriad of third-party extensions that tweak the open-source browser's performance, but some of the most popular of those extensions have created a security hole so wide even a newbie AOL hacker could find it and millions of Firefox users are at risk of having their browsers hijacked.

Third party extensions including the widely used toolbars from Google, Yahoo, Ask, Facebook, LinkedIn, as well as social bookmark extension from Del.icio.us and two anti-hacking add-ons, the Netcraft Anti-Phishing Toolbar and the PhishTank SiteChecker all put users at risk of having their browser infected with malicious code.

Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://.

That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions' checks for updates at a plain http:// site and then pretend to be the update server. At lesser risk are users who haven't changed the default password on home routers, which could allow an attacker to take over the router and mess with internet packets.

Instead of sending back the new legitimate code or a message telling the extension that it is up to date, the rogue wireless connection (or compromised router) sends a new malicious extension that could let an attacker take over the browser and use the computer to send spam, attack other computers or steal the user's passwords and sensitive information.

Independent security researcher Christopher Soghoian, an Indiana University student who first made a name for himself by publicizing a long-known security flaw in boarding passes, discovered the extension vulnerability using a simple packet sniffer on his own computer.

"The bitter irony here, is that by downloading an anti-phishing toolbar, you're currently making yourself more vulnerable than if you had never downloaded it at all," Soghoian said. "It's totally trivial to spot. This is in no way a major piece of computer security research. The work of attempting to harass the vendors into fixing the flaw has taken far more time than finding it."

The fix is simple for both users and software vendors, according to

Soghoian. Users should uninstall any extension they didn't download from the official Mozilla add-ons page. Extensions served from that page all use Mozilla's free https:// connection.

For their part, software vendors need only to update their extension update servers with a valid

SSL certificate so the extension can check an https:// site. Since the encryption check requires substantially more computing power than a non-encrypted call, companies with hundreds of thousands or millions of extension users might also need to add extra servers to handle the greater load.

He notes that one security extension, the McAfee SiteAdvisor add-on that warns users when they are about to visit a site known to host untrustworthy downloads or malicious code, correctly uses an https://

extension for updates.

UPDATE: Reader Johnny writes in the comments that the SiteAdvisor add-on is actually not safe:

Unlike the research suggests, McAfee SiteAdvisor is actually worse than any of these other major extensions. It periodically downloads completely unauthenticated code from McAfee's server, which it then executes with the same privileges as your browser. Not only does this backdoor allow McAfee to do whatever they please with your computer, but a hacker can run any malicious code on your system without you ever noticing by simply spoofing the URL http://www.siteadvisor.com/download/safe/safe.js

/UPDATE

Soghoian announced the exploit 45 days after he first disclosed it to Google, Mozilla,

Yahoo and Facebook. Mozilla fixed a vulnerable co-branded Ebay/Firefox extension in two days, according to Soghoian. After a flurry of emails to Google, where Soghoian interned last summer, Google told him that it would likely have a fix for the problem before he announced it.

Soghoian says his disclosure is in keeping with widely accepted code of conduct for security researchers, which allows them to disclose vulnerabilities to users after giving the vendors time to solve the problem.

Soghoian also points out that extensions served from Mozilla's servers are forbidden from automatically updating. Instead a user is shown that an update is available and given the choice of installing it or not.

Google Toolbar, for one, skips that step and automatically installs the new code.

"My suspicion is that Google/Yahoo's extension teams never asked their security teams their opinion," Soghoian told Wired News. "Google has one of the OpenSSL developers on staff. Had they asked him 'Hey, we're going to silently update our customers with code we download from a non-SSL connection. What do you think of that?,' he or any other security professional would have shot it down instantly."

UPDATE 2: Del.icio.us writes in via the comments to say it's most recent version of it's extension has never been vulnerable and that the old version has been updated as well.

Also Mozilla chimes in on its blog.

More on the vulnerability from Ryan Naraine and Brian Krebs.

Photo: Elliot Cross