Thread-topic: Firefox 2.0 security bug: Extensions can hide themself
> -----Original Message-----
> From: azurIt [mailto:azurit@xxxxxxxx]
> Sent: Sunday, December 10, 2006 6:45 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Firefox 2.0 security bug: Extensions can hide themself
>
> Background
> ----------
> Firefox is very popular and secure web browser. Until now, it
> is used by
> millions of people and thousands of internet clubs. One of
> the great features of
> Firefox are extensions. You can use them to create things
> inside your browser
> which are beyond your imagination.
>
>
> Overview
> --------
> Every Firefox extensions developer knows the 'hidden'
> property of 'install
> manifest'. This property can be used to hide _globally_
> installed extensions and
> it can't hide only local extension (this is a design feature
> so the extensions
> installed by users can't be hidden). But it is not known that
> this can be
> easily bypassed..
>
> Did you know that you can't trust to what Extensions manager
> is saying ? For
> detailed information look at the function 'hide_me()' in file
> 'src/chrome/content/ffsniff/ffsniffOverlay_orig.js' of my PoC.
>
>
> Proof of Concept
> ----------------
> As a PoC I updated my Firefox sniffer extension (FFsniFF) so
> now it has the
> ability to hide itself. You can download it here:
>
>
> The new version (0.2) was tested _only_ with Firefox 2.0
> (both linux and
> Windows).
>
> FFsniFF is a simple Firefox extension, which transforms your
> browser into the
> html form sniffer. Every time the user click on 'Submit'
> button, FFsniFF will try
> to find a non-blank password field in the form. If it's
> found, entire form (also
> with URL) is sent to the specified e-mail address. It also
> has the ability to
> hide itself from 'Extensions manager'.
>
>
> Solution
> --------
> There's no solution for this problem at this time.
>
>
> azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk
>
>
>
>
