Beware of Flat-Packed Firefox Add-ons

 
 
By Ryan Naraine  |  Posted 2008-01-29 Email Print this article Print
 
 
 
 
 
 
 

Beware of Flat-packed Firefox Add-ons Mozilla has slapped a "high severity" rating on an unpatched Firefox vulnerability that could let hackers steal session cookies -- and sensitive user information -- from Web surfers.

Mozilla security chief Window Snyder (left) confirmed the issue in a blog entry late Tuesday, warning that Firefox users who have installed "flat" That packed add-ons (browser extensions) are at risk.

The flaw was originally reported as a low-risk information disclosure issue that could help with pre-attack reconnaissance, but Snyder's latest update confirms the risk is much higher.

"An attacker can use this vulnerability to collect session information, including session cookies and session history," Snyder said.

[ SEE: Do You Know What's Leaking Out of Firefox? ]

Stolen cookies and session information could eventually lead to a complete hijack of things such as Gmail accounts, Amazon.com and eBay credentials, and other sensitive Web-based accounts.

Although Firefox is not vulnerable by default (only users who have installed "flat" packed add-ons are at risk), this partial list of vulnerable Firefox extensions is very, very long.

It includes popular add-ons like Greasemonkey, Download Statusbar, Finjan Secure Browsing and YouTube It.

"If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging," Snyder added.

Mozilla plans to ship Firefox 2.0.0.12 very soon -- possibly by the end of this week -- to patch this vulnerability.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Close
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel