TUCoPS :: Browsers :: c07-1262.htm

Firefox 2.0 Bug: Extensions can hide themselves
Firefox 2.0 security bug: Extensions can hide themself
Firefox 2.0 security bug: Extensions can hide themself


Background
----------
Firefox is very popular and secure web browser=2E Until now, it is used by
millions of people and thousands of internet clubs=2E One of the great features of
Firefox are extensions=2E You can use them to create things inside your browser
which are beyond your imagination=2E


Overview
--------
Every Firefox extensions developer knows the 'hidden' property of 'install
manifest'=2E This property can be used to hide _globally_ installed extensions and
it can't hide only local extension (this is a design feature so the extensions
installed by users can't be hidden)=2E But it is not known that this can be
easily bypassed=2E=2E

Did you know that you can't trust to what Extensions manager is saying ? For
detailed information look at the function 'hide_me()' in file
'src/chrome/content/ffsniff/ffsniffOverlay_orig=2Ejs' of my PoC=2E


Proof of Concept
----------------
As a PoC I updated my Firefox sniffer extension (FFsniFF) so now it has the
ability to hide itself=2E You can download it here:
http://azurit=2Egigahosting=2Ecz/ffsniff/ 

The new version (0=2E2) was tested _only_ with Firefox 2=2E0 (both linux and
Windows)=2E

FFsniFF is a simple Firefox extension, which transforms your browser into the
html form sniffer=2E Every time the user click on 'Submit' button, FFsniFF will try
to find a non-blank password field in the form=2E If it's found, entire form (also
with URL) is sent to the specified e-mail address=2E It also has the ability to
hide itself from 'Extensions manager'=2E


Solution
--------
There's no solution for this problem at this time=2E


azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH