A security researcher has found a remote vulnerability in the upgrade mechanism in the Firefox extension used by Google Toolbar and Google Browser Sync that could lead to a man-in-the-middle attack and covert installation of malicious software.
Christopher Soghoian, a graduate student at Indiana Universitys School of Informatics, discovered that an attacker can silently slip malicious software onto computers via an upgrade mechanism flaw in the latest versions of highly popular Firefox extensions, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker.
Writing in his blog on May 30, Soghoian noted that users of the Google Pack suite are likely vulnerable, given that it includes the Google Toolbar for Firefox. Using the bug, an attacker can install software such as spyware, hijack e-banking sessions, steal e-mail or send e-mail spam.
The only way to secure the upgrade path for sites hosting extensions and their updates is to use SSL technology. For the most part, he said, those sites with an “S” in their URLs are safe, such as in Mozillas free hosting service for open-source extensions: https://addons.mozilla.org.
An exploit can be done through a man-in-the-middle attack where an attacker convinces a targeted system that he or she is the update server for one or more extensions. Firefox prompts a user when updates are available and then downloads and installs software, which in this case would be malicious code. Some commercial extensions, including those from Google, have disabled the notification, opting instead for silent install.
Soghoian didnt give any more details on the vulnerability, saying that it stems from “design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code.”
Any users who have installed Firefox and one or more of the vulnerable extensions are at risk when using public or unencrypted wireless networks, an untrusted Internet connection or a compromised home router, including routers running with default passwords.
Soghoian writes that he notified Firefoxs Security Team as well as some vendors of high-profile software, such as Google, Yahoo and Facebook, some 45 days ago. As of May 30, none had yet released a fix. Until they do, Soghoian says that users should remove or disable any Firefox extensions downloaded anywhere except for off of the official Firefox Add-ons Web site.
If in doubt, he said, delete the extension—which can be done in Firefox through the Tools->Add-ons menu—and download it from a safe site.
A Google spokesman said that the company has developed a fix for the extensions and that users will be automatically updated with the patch shortly. Google hasnt received any reports of the vulnerability being exploited.
The Firefox Web browser includes the ability for third parties to release code, known as extensions, that will run within the users browser. Firefox also includes an upgrade mechanism, enabling the extensions to poll an Internet server, looking for updates. If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code.
Soghoian said that McAfee is one commercial vendor whose extension does get its updates from a secure Web site. “The McAfee SiteAdvisor does things correctly, and is thus not vulnerable to this attack,” he wrote.
Editors Note: This story was updated to include Googles statement.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.