Google Prey to Attack Via Firefox Extension Auto-Upgrade

By Lisa Vaas  |  Posted 2007-06-01 Print this article Print

Updated: A security researcher discovers a vulnerability in a Firefox extension used by Google Toolbar that could lead to installations of malware.

A security researcher has found a remote vulnerability in the upgrade mechanism in the Firefox extension used by Google Toolbar and Google Browser Sync that could lead to a man-in-the-middle attack and covert installation of malicious software.

Christopher Soghoian, a graduate student at Indiana Universitys School of Informatics, discovered that an attacker can silently slip malicious software onto computers via an upgrade mechanism flaw in the latest versions of highly popular Firefox extensions, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Extension, Facebook Toolbar, AOL Toolbar, Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker.
Writing in his blog on May 30, Soghoian noted that users of the Google Pack suite are likely vulnerable, given that it includes the Google Toolbar for Firefox. Using the bug, an attacker can install software such as spyware, hijack e-banking sessions, steal e-mail or send e-mail spam.
The only way to secure the upgrade path for sites hosting extensions and their updates is to use SSL technology. For the most part, he said, those sites with an "S" in their URLs are safe, such as in Mozillas free hosting service for open-source extensions: An exploit can be done through a man-in-the-middle attack where an attacker convinces a targeted system that he or she is the update server for one or more extensions. Firefox prompts a user when updates are available and then downloads and installs software, which in this case would be malicious code. Some commercial extensions, including those from Google, have disabled the notification, opting instead for silent install. Soghoian didnt give any more details on the vulnerability, saying that it stems from "design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code." Any users who have installed Firefox and one or more of the vulnerable extensions are at risk when using public or unencrypted wireless networks, an untrusted Internet connection or a compromised home router, including routers running with default passwords. Firefox, Thunderbird and SeaMonkey get a security overhaul. Click here to read more. Soghoian writes that he notified Firefoxs Security Team as well as some vendors of high-profile software, such as Google, Yahoo and Facebook, some 45 days ago. As of May 30, none had yet released a fix. Until they do, Soghoian says that users should remove or disable any Firefox extensions downloaded anywhere except for off of the official Firefox Add-ons Web site. If in doubt, he said, delete the extension—which can be done in Firefox through the Tools->Add-ons menu—and download it from a safe site. A Google spokesman said that the company has developed a fix for the extensions and that users will be automatically updated with the patch shortly. Google hasnt received any reports of the vulnerability being exploited. The Firefox Web browser includes the ability for third parties to release code, known as extensions, that will run within the users browser. Firefox also includes an upgrade mechanism, enabling the extensions to poll an Internet server, looking for updates. If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code. Soghoian said that McAfee is one commercial vendor whose extension does get its updates from a secure Web site. "The McAfee SiteAdvisor does things correctly, and is thus not vulnerable to this attack," he wrote. Editors Note: This story was updated to include Googles statement. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel