Black Hat Asia The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla's automated and human security tests.

The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality.

Professor William Robertson (left) AND PhD Ahmet Buyukkayhan

For example, attackers could duplicate a popular but vulnerable extension to reuse attacks and write their own machine-pwning functionalities.

The researchers explained that extensions run with elevated privileges and access to information, so a malicious extension could steal private browsing data, passwords, and sensitive system resources.

The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users, Video DownloadHelper with 6.5 million users, and GreaseMonkey with 1.5 million users. Adblock Plus with its 22 million users was unaffected.

Extension-reuse extensions permitted code execution vulnerabilities, event listener registration, and network access among other opportunities for attackers.

Northeastern University PhD candidate Ahmet Buyukkayhan and Northeastern University Professor William Robertson presented the attacks at the Black Hat Asia hacking event in Singapore, releasing a framework dubbed Crossfire they used to identify extensions open to extension reuse vulnerabilities.

“We a have a lot of trust placed in browser vendors … but if you think about it, really squint your eyes, the extension framework really is a backdoor for potentially untrusted third parties to run code in a highly-privileged context,” Robertson says.

“We really shouldn't have trust in the extension authors.

“The combination of automated analysis, manual review, and extension-signing – the vetting model that underpins all of Firefox's extension security – if something goes wrong, then all bets are off.”

And things did go wrong. The pair were able to upload a malicious, but ultimately harmless proof-of-concept, extension to the Firefox extension shop even passing a requested more intensive 'fully reviewed' analysis. The extension dubbed ValidateThisWebsite contained 50 lines of code and no obfuscation.

“The more power vulnerable extensions have, the easier it is for an evil extension to work,” Buyukkayhan says.

“The full review is the highest level of security Mozilla has.”

The proof-of-concept feat was done with Crossfire which also sports a template function that make extension-reuse exploit development much faster.

That framework was supplied to Mozilla as part of a thorough research briefing at the end of which Firefox security wonks have committed to extra vigilance in extension review.

The disclosure of the new attack vectors, the product of an impressive two years' research, come five months ahead of Mozilla's pivot to model its extensions off the more secure Google Chrome model. Developers will still have 18 months from August to migrate to the WebExtensions hardened isolated model before the vulnerable legacy apps are nuked.

Mozilla already maintains a list of malicious extensions which sports 161 blacklisted items, a number that is likely to grow if attackers exploit the new extension-reuse model.

Firefox product man Nick Nguyen says the new WebExtensions are unaffected.

"The way add-ons are implemented in Firefox today allows for the scenario hypothesised and presented at Black Hat Asia, " Nguyen says.

"The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

"Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security.

The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."

Firefox will later this year under its Electrolysis initiative introduce multi-process architecture to Firefox and sandbox extensions so that they cannot share code. ®