Security Watch

Keeping Track of patches and hacks in the IT security world.

Beware of Flat-Packed Firefox Add-ons

Beware of Flat-packed Firefox Add-ons

Mozilla has slapped a "high severity" rating on an unpatched Firefox vulnerability that could let hackers steal session cookies -- and sensitive user information -- from Web surfers.

Mozilla security chief Window Snyder (left) confirmed the issue in a blog entry late Tuesday, warning that Firefox users who have installed "flat" That packed add-ons (browser extensions) are at risk.

The flaw was originally reported as a low-risk information disclosure issue that could help with pre-attack reconnaissance, but Snyder's latest update confirms the risk is much higher.

"An attacker can use this vulnerability to collect session information, including session cookies and session history," Snyder said.

[ SEE: Do You Know What's Leaking Out of Firefox? ]

Stolen cookies and session information could eventually lead to a complete hijack of things such as Gmail accounts, and eBay credentials, and other sensitive Web-based accounts.

Although Firefox is not vulnerable by default (only users who have installed "flat" packed add-ons are at risk), this partial list of vulnerable Firefox extensions is very, very long.

It includes popular add-ons like Greasemonkey, Download Statusbar, Finjan Secure Browsing and YouTube It.

"If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging," Snyder added.

Mozilla plans to ship Firefox very soon -- possibly by the end of this week -- to patch this vulnerability.