The listings featured on this site are from companies from which this site receives compensation. Read the Advertising Disclosure for more information
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers, and are based on the reviewers' independent and professional examination of the products/services.

Ownership

vpnMentor is owned by Kape Technologies PLC, which owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that were written by our experts and follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will be based on an independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, which will however not affect the review but might affect the rankings. The latter are determined on the basis of customer satisfaction of previous sales and compensation received.

Reviews Guidelines

The reviews published on vpnMentor are written by experts that examine the products according to our strict reviewing standards. Such standards ensure that each review is based on the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may take into consideration the affiliate commissions we earn for purchases through links on our website.

Popular Firefox Security Extensions Are Open to Reuse Attacks

New research has found some of the most popular Firefox add-ons, including powerful security extensions, are vulnerable to reuse attacks. This article details the situation.

At the Blackhat Asia Conference in early April 2016, researchers from Northeastern University and Boston University revealed nine of the top ten Firefox extensions are vulnerable to reuse attacks. Unfortunately, this includes a few of the most popular security extensions available in the Add-on catalog. In this article, we discuss how these attacks could happen, describe the compromised security extensions, and recommend some precautionary measures to lessen your exposure risk.

What is a Reuse Attack?

In this context, a reuse attack occurs when a malicious extension exploits the functions of a legitimate – yet vulnerable – extension to perform an attack on a user’s browser. The research group developed a static analyzer – named CrossFire – to identify reuse vulnerabilities in Firefox add-ons for both the Windows and Mac platforms, including:

  • Network access
  • File input/output
  • Code execution
  • Clipboard access
  • Cookie store access
  • Bookmarks access
  • Password store access
  • Preference access
  • Event listener registration

Through these add-on faults, it is possible for an attacker to control your browser and perform malicious actions, such as:

  • opening and displaying the contents of a URL in a new browser tab.
  • sending an HTTP request to an attacker-specified URL.
  • downloading a list of files without activating the Firefox download prompt.
  • executing binary files to modify website content.

How Would a Reuse Attack Occur?

In order for such an attack to occur, a user must download the extension with the reuse vulnerability AND a malicious extension. The hidden code within the attacking add-on would then execute without the user’s knowledge.

“Attackers could write an extension that looks innocuous to anyone reviewing the plug-in,” researcher William Robertson said while presenting at the conference. “But once added to the Firefox browser, the benign looking extension could easily exploit a second Firefox extension to plant malware on the user’s computer.”

The attacks are made possible because legacy Firefox frameworks do not isolate add-on functions. Therefore, malicious add-on code can use API calls from legitimate add-ons to execute attacks while appearing to be harmless. They can also gather sensitive data contained in other add-ons because add-ons share Firefox’s Cross-Platform Communication Object Model (XPCOM).

Reuse attack vulnerabilities found in Firefox Security ExtensionsCredit: Buyukkayhan et al.

Are Reuse Attacks Common?

No. The researchers told vpnMentor that many other news outlets have blown the issue out of proportion.

“Most online articles we read about CrossFire blew the problem out of proportion, and made it out to look like all Firefox extensions are evil and should immediately be removed from the computer. Of course, that would not be a sensible reaction to the issue at hand.”

But with so many of the popular extensions possessing vulnerabilities, it does open the door for such attacks to happen.

Reuse Attack Vulnerabilities Found in Firefox Security ExtensionsCredit: Buyukkayhan et al.

In fact, a main point of the research was to prove the inadequacies of current add-on vetting practices. To prove the point, the team uploaded a “malicious” extension and got it through Firefox’s highest level of review. This add-on, which they called ValidateThisWebsite, advertised an ability to analyze websites to determine if they met current code standards. Behind the façade, however, the extension actually paired with a legitimate extension to open a website of their choosing in a new tab. It was harmless, but it showed how an attack could occur.

Are Jetpack Add-ons Susceptible?

Yes. While the work primarily focused on the vulnerabilities in legacy Firefox extensions due to their popularity and prevalence, the team said extensions built through the current Jetpack/Add-on SDK platform are not immune to extension-reuse attacks.

What Security Extensions Are Vulnerable to Reuse Attacks?

The paper mentions two prominent security add-ons:

  • NoScript:Reuse attack vulnerabilities found in Firefox Security Extensions
    This extension lets users choose the sites that can run JavaScript, Java, and other plugins. It currently has more than 2 million users. Update: NoScript’s author has recently responded to the CrossFire article, calling it “cheap research.”
  • Reuse Attack Vulnerabilities Found in Firefox Security Extensions Web of Trust:
    A known worldwide website reputation and rating service that helps users make informed decisions about whether to trust a website or not when searching, shopping, or surfing online. It has more than 900,000 users.

In addition to these two security extensions, the researchers said KeeFox showed Reuse Attack Vulnerabilities Found in Firefox Security Extensions vulnerabilities during the tests. This extension connects Firefox to KeePass Password Safe, the most popular open source (and free) password manager. Available to PC users only, it has been downloaded more than 59,000 times.

Note: the researchers tested 323 random extensions along with the ones on the top-10 list. This random sample may include more security extensions than the ones listed here.

Did Any Security Extensions Pass the Vulnerability Test?

Yes. Adblock Plus came through without any reuse vulnerabilities. This is a positive development for the 20+ million users who have downloaded this extension.

What Are the Best Ways to Prevent Reuse Attacks?

The researchers noted that reuse attacks cannot happen unless a malicious add-on is downloaded and paired with at least one vulnerable add-on. Also, extensions with good programming and recent updates are less likely to be vulnerable. Therefore, vpnMentor recommends:

  • Using extensions with an active update record
  • Only downloading extensions from known sources
  • Keeping your browser up-to-date
  • Managing your extension library and removing those you no longer use

According to the researchers, the key for short-term protection is vigilance. By informing users, developers, and Mozilla vetters about this issue, everyone can be on the lookout to blacklist malicious extensions.

“Naturally, we do not intend our work to be interpreted as an attack on the efforts of Firefox’s cadre of extension vetters, who have an important and difficult job…” they wrote in the paper. “Nevertheless, our experiments demonstrate that current [add-on vetting tools are] insufficient to handle this class of attack, and the techniques we propose can serve as a first step towards bolstering the vetting process to detect extension-reuse vulnerabilities.”

The team is also moving the CrossFire project to GitHub. When it is available, anyone can submit an extension as an input and see the code-reuse vulnerabilities inside it. Developers would then be able to issue updates to fix the faults.

Is a Universal Fix Being Developed?

Yes. The research sparked a quick response from Mozilla: “Because risksReuse Attack Vulnerabilities Found in Firefox Security Extensions such as this one exist, we are evolving both our core product and our extensions platform to build in greater security.”

The company notes that add-ons written through the new WebExtensions platform (available in beta with Firefox 46) prevent the problem. Also, when Mozilla’s Electrolysis Project launches later this year, extensions will be isolated via sandboxing. This shift will prevent any malicious extension from communicating with a vulnerable one.

Conclusion

Since vulnerabilities extend to almost all of the most popular add-ons, the threat of reuse attacks cannot be taken lightly. It is important to stress, however, that vigilant add-on installation coupled with closer scrutiny by vetters and developers should prevent malicious add-ons from entering the Firefox library. So, be sure to download trusted security extensions that are kept up-to-date from now on, or at least until the Electrolysis project is implemented.

Rank
Provider
Our Score
Discount
Visit Website
1
medal
9.8 /10
Save 49%!
Privacy Alert!

Your data is exposed to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 49% off.

Visit ExpressVPN

About the Author

John Norris worked as a tech writer, journalist, and instructional designer before turning to tech blogging in 2013. While focusing on digital security and privacy issues, he is interested in any tech area that can enrich people's lives.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback
Comment Comment must be from 5 to 2500 characters long.