Researcher: Don’t trust toolbars for Firefox

Makers of some of the most popular extension software used by the Firefox browser are not doing enough to secure their software, a security researcher said Wednesday.

The problem is that many widely used Firefox extensions, including toolbars from Google, Yahoo, and AOL, do not use secure connections to update themselves, according to Christopher Soghoian, a security researcher who blogged about the issue on Wednesday.

Soghoian is best known as the researcher who attracted the attention of the FBI late last year after publishing a tool that could be used to print fake boarding passes.

The Indiana University doctoral student discovered the Firefox issue last month while examining network traffic on his computer. He noticed that many of the most popular Firefox extensions are not hosted on servers that use the SSL Web protocol. SSL Web sites, which begin with “https://,” use digital certificates to provide users with some level of assurance that they’re not connecting with a fake server.

Although the corporation behind Firefox, Mozilla, hosts the majority of Firefox extensions on its own SSL-enabled Web site, it is common for commercial extension-makers like Google to host their software on an unsecured site, Soghoian said in an interview.

This leaves users vulnerable to a “man-in-the middle” attack, where Firefox could be tricked into downloading malicious software from a site it mistakenly thought was hosting an extension.

It wouldn’t be easy for an attacker to pull this off, however. In one scenario, the hacker would set up a malicious wireless access point in a public area where people are using wireless connections. He could then redirect extension update traffic to a malicious computer. “An attacker who sets up a wireless access point can then infect anyone who connects to it,” Soghoian said.

The Del.icio.us Extension, Facebook Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker are also vulnerable to this issue, Soghoian said.

Though Soghoian said Firefox users should avoid extensions that are not from the secure Firefox add-ons site, not all security researchers see this as a major issue.

“It’s just yet another vulnerable design among billions,”said Gadi Evron, security evangelist for Beyond Security. “I don’t see it as that critical. There is no inherent vulnerability, but it does make the over-whole design weaker, and that should probably be addressed”

Evron said it was “silly” that sites weren’t using SSL for these extensions.

Soghoian said he notified Google, Yahoo, and Facebook of the issue in mid-April, but nobody had addressed the issue as of Wednesday. Just hours after Soghoian went public with his findings, Google said it would “soon” have a fix for the problem.

It’s common for Web developers to ignore security in the rush to push out new and cool features, Soghoian said. “Your average Web 2.0 developer doesn’t learn about security,” he said. “Google has a spectacular security team … my suspicion is that one hand wasn’t talking to the other.”