A trojan in a Firefox security add-on
There is an impressive list of Firefox security add-ons that makes up the Web Application Security Penetration Testing collection. It contains many of the most well-known addons (Firebug, Greasemonkey, etc.) along with a whole raft of lesser-known, but still useful add-ons—83 add-ons in all. Folks who install from the collection probably weren't expecting that it might also contain a trojan horse in the form of a password logger, but that's just what the "Mozilla Sniffer" add-on did, as Netcraft recently reported.
The add-on in question was marked as "experimental", which means that it
had not undergone the code review that add-ons get before turning off the
experimental flag. That flag should make users more wary about
installing those add-ons, but since it came from the Mozilla web site, and
was listed in the collection, it's not hard to see how users, even
seemingly security-conscious ones, might get fooled into installing it.
The malware author did try to misdirect users by stating that "the
addon was validated by MOZILLA validation
", but the download page
clearly indicated that it had not been reviewed. In any case, some
1800 users downloaded it, and it was in daily use by 334 at the time it was
discovered to be a trojan.
So, what did Mozilla Sniffer do? It didn't only "view and modify
HTTP/HTTPS headers
" as it claimed, but also checked each form that
was submitted to see if there were password fields in the form. If so, it
sent the form data, which would include the username and password, and the
form destination URL off to a server that was presumably under the malware
author's control. Essentially all credentials that were used while the add-on
was installed were logged for whatever, undoubtedly nefarious, plan the
attacker had.
Mozilla Sniffer was uploaded to addons.mozilla.org on June 6, but its trojan nature was not discovered until July 12. Johann-Peter Hartmann had installed some add-ons from the collection to do some security testing of an online game when he noticed a strange HTTP request being made when he logged into the game. Noticing that it sent the credentials and URL to some IP address he didn't recognize, he started to dig deeper.
Hartmann realized that one of the recently installed add-ons was likely to blame, so he started poking around in the source code for those, looking for the destination URL for the unexpected HTTP request. He found it in the popular (and reviewed by Mozilla) Tamper Data add-on, which was rather surprising. It turns out that Mozilla Sniffer had used Tamper Data's universally unique identifier (UUID) so it was able to overwrite the data in the Tamper Data directory—in effect masquerading as that add-on.
The add-on was quickly removed once Hartmann reported it to security@mozilla.org. Mozilla also put out a security announcement on the add-ons blog, but for a substantial number of users, the damage was already done. Mozilla Sniffer was added to Mozilla's add-on blocklist, which will cause users to be prompted to uninstall the add-on. That should remove the problem going forward, but it is likely that some credentials were sent off to the author's site so affected users should probably change any passwords they used after installing Mozilla Sniffer.
Mozilla is currently working on a proposal to change the add-on review process so that unreviewed add-ons are not available from addons.mozilla.org:
The new review process would essentially require all add-ons to get at least a preliminary, cursory code review for malicious code before it could appear on the site. Add-ons that had not passed that initial review would not appear when users searched or browsed add-ons. That would remove the implicit—though clearly disclaimed—Mozilla "stamp of approval" for unreviewed add-ons. Even those that pass the preliminary review will still be marked as "unverified" and be subject to a number of limitations (lowered search ranking, click-through warning on install, etc.).
The preliminary review is meant to get the add-on out in front of users fairly quickly so that developers can get feedback before requesting a full review. The full review will take longer, but passing it will give the add-on full privileges at the Mozilla add-on site.
While it is rather ugly for the users affected, the effects of the attack were not all bad. It should help lead to better procedures for reviewing add-ons as well as making it clearer what the limitations of the current review process are. The attack itself wasn't terribly sophisticated, so it would presumably have been detected immediately if a review had been requested. A more subtle attack, that might remain undetected even with a full review, would be much more dangerous.
In the end, installing an add-on requires some level of trust in the author. Reviewers can make mistakes, as can automated review tools. Since Mozilla does not do any vetting of the add-on authors, it would seem possible, likely even, that some day a determined attacker will slip something through Mozilla's review process. That will be a really bad day.
| Index entries for this article | |
|---|---|
| Security | Web browsers |
A trojan in a Firefox security add-on
Posted Jul 22, 2010 4:58 UTC (Thu)
by elanthis (guest, #6227)
[Link] (6 responses)
Posted Jul 22, 2010 4:58 UTC (Thu) by elanthis (guest, #6227) [Link] (6 responses)
There's a reason that anti-malware software on Windows is so popular. It's not because Windows is a crappy OS, it's because people tend to download far more third-party software there than on Linux. Sort of. Except that pretty much all your software on Linux is every last bit a huge hodge-podge of random third-party apps as it is on Windows, it's just that Linux distributions (and Mozilla, as it happens) funnel all that third-party software through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly.
In the end, either the user has to be responsible for reviewing what runs on his computer (and who the hell has the time for that, much less the know-how, given the massive amount of highly complex code that makes up the simplest of modern computing systems?) or rely on very sophisticated tools to help catch or stop misbehaving software.
For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so? I mean, I know the reason is "nobody thought of putting in the extra effort to make it do that," which is really the same reason why we're just now starting to see sandboxed processes for individual sites instead of doing it that way from the very start. The result though is the same: either the environment has the tools and smarts to protect the user or the user eventually gets fucked, and it turns out our environments don't have all that many tools or smarts.
Simply pretending that the user can never get malicious software in the first place is a never-ending journey along Failure Way. I don't care what kind of review process or approval system or trust web you put in place. The user will eventually get malicious software, either because your system fails or because he just decided to go around it.
Assume he absolutely is going to end up with some malware, and then figure out how to make sure that malware can either be automatically detected and removed (as with most malware scanners) or just manage to muzzle it so it can't do any harm (for example, as with many Windows firewall packages, including even the rather limited default firewall on Windows Vista/7 which goes way beyond what any Linux setup I've ever seen offers in terms of protection from locally-installed malware).
A trojan in a Firefox security add-on
Posted Jul 22, 2010 10:01 UTC (Thu)
by nye (guest, #51576)
[Link] (1 responses)
Posted Jul 22, 2010 10:01 UTC (Thu) by nye (guest, #51576) [Link] (1 responses)
A trojan in a Firefox security add-on
Posted Jul 23, 2010 3:53 UTC (Fri)
by zooko (guest, #2589)
[Link]
Posted Jul 23, 2010 3:53 UTC (Fri) by zooko (guest, #2589) [Link]
Honestly, I'm pretty damned excited about Jetpack. Long-time readers of LWN.net might notice that I always post a comment after one of these articles bemoaning the futility of combatting malware by controlling authorship of code and by auditing enormous codebases. I've often alluded to the possibility of a better system based on confinement and dynamic access controls (i.e. capabilities). Jetpack is finally an attempt to do it that way.
Disclosure: Jetpack is being designed by my good friend and long-time collaborator (on the Tahoe-LAFS project) Brian Warner. Even if I didn't already think the basic idea was super great I would be biased towards liking Jetpack just because Brian Warner is awesome.
REPOs do serve a purpose.
Posted Jul 22, 2010 11:47 UTC (Thu)
by alex (subscriber, #1355)
[Link]
"through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly"
Posted Jul 22, 2010 11:47 UTC (Thu) by alex (subscriber, #1355) [Link]
The Linux repo model isn't all that bad. There is an implied chain of trust from (hopefully) upstreams signed packages to distributions QA and their signing and provisions of sources related to the package your installing. You should be able to update your copy of Apache with reasonable confidence it's not got a backdoor in it, doubly so if your using an enterprise distro where your actually paying for support.
That's not to say the flaws you point out are don't apply if all the packager has done is downloaded a random cool looking tarball and just whacked a "configure/make/make install" into the package.
A trojan in a Firefox security add-on
Posted Jul 22, 2010 12:03 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jul 22, 2010 12:03 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)
For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so?Because users would immediately be bombarded by so many of these messages that they'd soon learn to just click 'yes' at all times? (Hell, they've been well-trained to do that already by other equally useless 'security' warning dialogs.)
security policy
Posted Jul 22, 2010 15:30 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
Posted Jul 22, 2010 15:30 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
The big problem with security policies is finding something that users can understand correctly. This is a big research topic. It is often possible to create something which _technically_ works but which almost no-one will operate correctly, for an end user application like Firefox this is plainly useless (whether it is useless in more specialised applications is up for debate).
A trojan in a Firefox security add-on
Posted Jul 22, 2010 18:04 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link]
It's not because Windows is a crappy OS
Posted Jul 22, 2010 18:04 UTC (Thu) by RobSeace (subscriber, #4435) [Link]
Well, it's not just because of that, you mean... ;-)