Skip to main content

Is Your Firefox Extension Leaving You Open To Attack?

By April 12, 2016May 26th, 2021Blog, Cybersecurity

is_your_firefox_extension_making_you_susceptible_to_a_hackBrowser extensions are in the news lately, and not just for Firefox. Recently, hackers have corrupted several Google Chrome extensions, and are using them to display unwanted ads to unsuspecting users. For Firefox though, matters are a fair bit worse. It’s not just ads that Firefox users have to worry about, it’s the possibility of losing total control of their browser to a hacker, and that, of course, opens the door to losing control of your computer itself.

Chrome and Firefox handle extensions differently, and in the case of Firefox, extensions are allowed to share code. This opens up a window of potential exploitation. If the hackers can get one corrupted extension past Firefox’s manual code integrity checkers, and that extension gets downloaded by a user, it can begin passing code to other extensions with elevated privileges, and ultimately wind up with full control over a user’s browser. At that point, all bets are off. The now-controlled browser could download a malicious file in the background without the user’s knowledge, or the hacker could keep track of every keystroke logged by the user. In either case, that amounts to bad news.

It should be noted, however, that this hack only came to light after an extensive two years of testing. This is not the sort of attack that a garden variety hacker could, or would even think to pull off, but there are clearly hackers out there who could do such a thing, and given the nature of the attack, there’s virtually no defense against it.

There’s good news on that front, however. Firefox has already responded, reporting that that later this year, they’ll be releasing a new set of browser extension APIs that introduce multi-process architecture to Firefox, and by extension, to all the extensions users might install. This will, by definition, keep them from using the same code, which will solve the problem. Provided users update, of course, making it more important than ever to keep current with updates.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.