|
Background
----------
Firefox is very popular and secure web browser=2E Until now, it is used by
millions of people and thousands of internet clubs=2E One of the great features of
Firefox are extensions=2E You can use them to create things inside your browser
which are beyond your imagination=2E
Overview
--------
Every Firefox extensions developer knows the 'hidden' property of 'install
manifest'=2E This property can be used to hide _globally_ installed extensions and
it can't hide only local extension (this is a design feature so the extensions
installed by users can't be hidden)=2E But it is not known that this can be
easily bypassed=2E=2E
Did you know that you can't trust to what Extensions manager is saying ? For
detailed information look at the function 'hide_me()' in file
'src/chrome/content/ffsniff/ffsniffOverlay_orig=2Ejs' of my PoC=2E
Proof of Concept
----------------
As a PoC I updated my Firefox sniffer extension (FFsniFF) so now it has the
ability to hide itself=2E You can download it here:
http://azurit=2Egigahosting=2Ecz/ffsniff/
The new version (0=2E2) was tested _only_ with Firefox 2=2E0 (both linux and
Windows)=2E
FFsniFF is a simple Firefox extension, which transforms your browser into the
html form sniffer=2E Every time the user click on 'Submit' button, FFsniFF will try
to find a non-blank password field in the form=2E If it's found, entire form (also
with URL) is sent to the specified e-mail address=2E It also has the ability to
hide itself from 'Extensions manager'=2E
Solution
--------
There's no solution for this problem at this time=2E
azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk