Indiana University researcher Christopher Soghoian has discovered an unusual vulnerability that affects several widely-used Firefox extensions including the Google Toolbar, Facebook Toolbar, and Anti-Phishing Toolbar. According to Soghoian, a man-in-the-middle attack can be used on a public wireless network to trick browser extensions into downloading malicious code instead of legitimate updates. The solution to this problem, says Soghoian, is to use SSL to deploy extension updates. Since the official addons.mozilla.org server uses SSL, extensions that update from that location aren’t affected.
DNS-based man-in-the-middle attacks are futile with SSL-enabled web servers, according to Sogholan, because the browser will reject the connection to the false update server. This is because the IP address returned by the DNS server will not match the IP in the SSL certificate.
Although this security issues doesn’t necessarily represent a Firefox problem, Soghoian points out that the limitations of Firefox’s code-signing functionality certainly don’t help. “The code signing functionality in Firefox is fairly limited,” says Sogholan. “The main difference is that a signed extension will show the signer’s name when the user is prompted to install the extension, while an unsigned extension will list ‘un-signed’ next to the extension name. The availability of an update without signatures for extensions that previously had a valid signature does not raise any kind of error. Furthermore, the signature is thrown away as soon as the new extension update is installed.” continue reading…