Skip to content ↓ | Skip to navigation ↓

Millions of users are open to attacks that can quietly compromise machines by exploiting a weakness in some of Firefox’s most popular browser extensions.

On Thursday, Boston University PhD Ahmet Buyukkayhan and Northeastern University Professor William Robertson presented their research on the attacks at Black Hat Asia in Singapore.

Black Hat Asia is a sister event to Black Hat USA, one of The State of Security’s top 11 information security conferences for 2016.

The researchers explained that the attacks leverage a weakness in the structure of Firefox browser extensions, reports Darren Pauli of The Register.

As extensions run with elevated privileges, including access to information, an attacker could duplicate a popular browser extension vulnerable to the reuse attacks, such as NoScript (2.5 million users), Video DownloadHelp (6.5 million users), and GreaseMonkey (1.5 million users), in order to pwn unsuspecting users’ machines.

AdBlock Plus at 22 million users is unaffected by the attacks, observes Pauli.

In light of these vulnerabilities, Buyukkayhan and Robertson have released a framework called Crossfire to help identify extensions that are open to exploitation.

“We a have a lot of trust placed in browser vendors … but if you think about it, really squint your eyes, the extension framework really is a backdoor for potentially untrusted third parties to run code in a highly-privileged context,” Robertson said. “We really shouldn’t have trust in the extension authors. The combination of automated analysis, manual review, and extension-signing – the vetting model that underpins all of Firefox’s extension security – if something goes wrong, then all bets are off.”

crossfire browser firefox

After determining that they could upload a proof-of-concept extension that passed a “fully reviewed” analysis, the researchers decided to share Crossfire with Firefox, whose teams have committed themselves to strengthening the browser’s extension review process.

News of these attacks follow Mozilla’s announcement last summer to temporarily block every version of Adobe Flash Player running in its Firefox web browser until Adobe patched certain publicly known security vulnerabilities.