Beware Firefox mal-extensions, warns Symantec
By Stephen Withers
Monday, 07 December 2009 09:49
One avenue that's taken is to drop the malicious extension directly into Firefox's components directory. This means it will be automatically loaded with the browser, but will not show up in the Add-ons window.
Consequently, users are unlikely to know that the extension has been added, or see a mechanism to remove it.
Wüest also noted that "all of the interesting information (such as credit card numbers or passwords) is usually entered through the browser, so it's a perfect playing field for attackers."
While access to the components directory will be denied in Firefox 3.6 (requiring the packaging of add-ons as XPI [cross platform installer] files and forcing them to appear in the Add-ons window), that won't rule out the possibility of malicious extensions - it will just make it harder to create a stealthy mal-extension.
Even if an extension does install in the conventional way, that doesn't mean it isn't malicious.
A paper [PDF, 1.4MB] co-authored by Wüest and Elia Florio of Italy's Data Protection Authority describes - among other things - a number of malicious extensions that carry out activities such as logging and forwarding all form submissions that include a password field, or forwarding all URLs visited.






