A trojan in a Firefox security add-on

By Jake Edge
July 21, 2010

There is an impressive list of Firefox security add-ons that makes up the Web Application Security Penetration Testing collection. It contains many of the most well-known addons (Firebug, Greasemonkey, etc.) along with a whole raft of lesser-known, but still useful add-ons—83 add-ons in all. Folks who install from the collection probably weren't expecting that it might also contain a trojan horse in the form of a password logger, but that's just what the "Mozilla Sniffer" add-on did, as Netcraft recently reported.

The add-on in question was marked as "experimental", which means that it had not undergone the code review that add-ons get before turning off the experimental flag. That flag should make users more wary about installing those add-ons, but since it came from the Mozilla web site, and was listed in the collection, it's not hard to see how users, even seemingly security-conscious ones, might get fooled into installing it. The malware author did try to misdirect users by stating that "the addon was validated by MOZILLA validation", but the download page clearly indicated that it had not been reviewed. In any case, some 1800 users downloaded it, and it was in daily use by 334 at the time it was discovered to be a trojan.

So, what did Mozilla Sniffer do? It didn't only "view and modify HTTP/HTTPS headers" as it claimed, but also checked each form that was submitted to see if there were password fields in the form. If so, it sent the form data, which would include the username and password, and the form destination URL off to a server that was presumably under the malware author's control. Essentially all credentials that were used while the add-on was installed were logged for whatever, undoubtedly nefarious, plan the attacker had.

Mozilla Sniffer was uploaded to addons.mozilla.org on June 6, but its trojan nature was not discovered until July 12. Johann-Peter Hartmann had installed some add-ons from the collection to do some security testing of an online game when he noticed a strange HTTP request being made when he logged into the game. Noticing that it sent the credentials and URL to some IP address he didn't recognize, he started to dig deeper.

Hartmann realized that one of the recently installed add-ons was likely to blame, so he started poking around in the source code for those, looking for the destination URL for the unexpected HTTP request. He found it in the popular (and reviewed by Mozilla) Tamper Data add-on, which was rather surprising. It turns out that Mozilla Sniffer had used Tamper Data's universally unique identifier (UUID) so it was able to overwrite the data in the Tamper Data directory—in effect masquerading as that add-on.

The add-on was quickly removed once Hartmann reported it to security@mozilla.org. Mozilla also put out a security announcement on the add-ons blog, but for a substantial number of users, the damage was already done. Mozilla Sniffer was added to Mozilla's add-on blocklist, which will cause users to be prompted to uninstall the add-on. That should remove the problem going forward, but it is likely that some credentials were sent off to the author's site so affected users should probably change any passwords they used after installing Mozilla Sniffer.

Mozilla is currently working on a proposal to change the add-on review process so that unreviewed add-ons are not available from addons.mozilla.org:

Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we're already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site.

The new review process would essentially require all add-ons to get at least a preliminary, cursory code review for malicious code before it could appear on the site. Add-ons that had not passed that initial review would not appear when users searched or browsed add-ons. That would remove the implicit—though clearly disclaimed—Mozilla "stamp of approval" for unreviewed add-ons. Even those that pass the preliminary review will still be marked as "unverified" and be subject to a number of limitations (lowered search ranking, click-through warning on install, etc.).

The preliminary review is meant to get the add-on out in front of users fairly quickly so that developers can get feedback before requesting a full review. The full review will take longer, but passing it will give the add-on full privileges at the Mozilla add-on site.

While it is rather ugly for the users affected, the effects of the attack were not all bad. It should help lead to better procedures for reviewing add-ons as well as making it clearer what the limitations of the current review process are. The attack itself wasn't terribly sophisticated, so it would presumably have been detected immediately if a review had been requested. A more subtle attack, that might remain undetected even with a full review, would be much more dangerous.

In the end, installing an add-on requires some level of trust in the author. Reviewers can make mistakes, as can automated review tools. Since Mozilla does not do any vetting of the add-on authors, it would seem possible, likely even, that some day a determined attacker will slip something through Mozilla's review process. That will be a really bad day.

Index entries for this article
Security	Web browsers

to post comments

A trojan in a Firefox security add-on

Posted Jul 22, 2010 4:58 UTC (Thu) by elanthis (guest, #6227) [Link] (6 responses)

Summary: download random shit from the web and get saddled with malware because humans are fallible. The end.

There's a reason that anti-malware software on Windows is so popular. It's not because Windows is a crappy OS, it's because people tend to download far more third-party software there than on Linux. Sort of. Except that pretty much all your software on Linux is every last bit a huge hodge-podge of random third-party apps as it is on Windows, it's just that Linux distributions (and Mozilla, as it happens) funnel all that third-party software through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly.

In the end, either the user has to be responsible for reviewing what runs on his computer (and who the hell has the time for that, much less the know-how, given the massive amount of highly complex code that makes up the simplest of modern computing systems?) or rely on very sophisticated tools to help catch or stop misbehaving software.

For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so? I mean, I know the reason is "nobody thought of putting in the extra effort to make it do that," which is really the same reason why we're just now starting to see sandboxed processes for individual sites instead of doing it that way from the very start. The result though is the same: either the environment has the tools and smarts to protect the user or the user eventually gets fucked, and it turns out our environments don't have all that many tools or smarts.

Simply pretending that the user can never get malicious software in the first place is a never-ending journey along Failure Way. I don't care what kind of review process or approval system or trust web you put in place. The user will eventually get malicious software, either because your system fails or because he just decided to go around it.

Assume he absolutely is going to end up with some malware, and then figure out how to make sure that malware can either be automatically detected and removed (as with most malware scanners) or just manage to muzzle it so it can't do any harm (for example, as with many Windows firewall packages, including even the rather limited default firewall on Windows Vista/7 which goes way beyond what any Linux setup I've ever seen offers in terms of protection from locally-installed malware).

A trojan in a Firefox security add-on

Posted Jul 22, 2010 10:01 UTC (Thu) by nye (subscriber, #51576) [Link] (1 responses)

I wonder if it would be worth an Android-app-style 'this addon is requesting the following capabilities' dialogue. I know most users would just click through without reading it, but it makes it a lot less likely to go unnoticed if some addon suddenly starts trying to do something completely unexpected.

A trojan in a Firefox security add-on

Posted Jul 23, 2010 3:53 UTC (Fri) by zooko (guest, #2589) [Link]

The Mozilla Jetpack project is an attempt to make a framework for add-ons which is auditable and confinable. If successful, Jetpack will make it easy to prevent this sort of backdoor without requiring auditors to carefully pick apart reams of confusing code and without popping up annoying and useless "Is it OKAY?" dialog boxes that the user will learn to autoclick.

Honestly, I'm pretty damned excited about Jetpack. Long-time readers of LWN.net might notice that I always post a comment after one of these articles bemoaning the futility of combatting malware by controlling authorship of code and by auditing enormous codebases. I've often alluded to the possibility of a better system based on confinement and dynamic access controls (i.e. capabilities). Jetpack is finally an attempt to do it that way.

Disclosure: Jetpack is being designed by my good friend and long-time collaborator (on the Tahoe-LAFS project) Brian Warner. Even if I didn't already think the basic idea was super great I would be biased towards liking Jetpack just because Brian Warner is awesome.

REPOs do serve a purpose.

Posted Jul 22, 2010 11:47 UTC (Thu) by alex (subscriber, #1355) [Link]

"through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly"

The Linux repo model isn't all that bad. There is an implied chain of trust from (hopefully) upstreams signed packages to distributions QA and their signing and provisions of sources related to the package your installing. You should be able to update your copy of Apache with reasonable confidence it's not got a backdoor in it, doubly so if your using an enterprise distro where your actually paying for support.

That's not to say the flaws you point out are don't apply if all the packager has done is downloaded a random cool looking tarball and just whacked a "configure/make/make install" into the package.

A trojan in a Firefox security add-on

Posted Jul 22, 2010 12:03 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)

For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so?

Because users would immediately be bombarded by so many of these messages that they'd soon learn to just click 'yes' at all times? (Hell, they've been well-trained to do that already by other equally useless 'security' warning dialogs.)

security policy

Posted Jul 22, 2010 15:30 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Also, this a plugin to a _web browser_. So, suppose we "forbid" the plugin from sending data to a web site. Instead, it finds an IMG in a web page and rewrites it to be an indirect, sending the data to a web site and returning the original image. Of course there are a million variations on this theme, many of which look (to a machine anyway) indistinguishable from legitimate actions.

The big problem with security policies is finding something that users can understand correctly. This is a big research topic. It is often possible to create something which _technically_ works but which almost no-one will operate correctly, for an end user application like Firefox this is plainly useless (whether it is useless in more specialised applications is up for debate).

A trojan in a Firefox security add-on

Posted Jul 22, 2010 18:04 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

It's not because Windows is a crappy OS

Well, it's not just because of that, you mean... ;-)