Firefox extensions: They're just software, like ActiveX. Extend, modify and control the browser.

Firefox extension points:

• XUL: XML user interface language
• XBL: XML Binding Language - logical behaviour of widgets
• XPCOM: Reusable components, interface to file system etc.
• XPConnect: Allows Javascript to connect to XPCOM
• Chrome: Special browser zone that is fully trusted by firefox - code is fully trusted, has access to filesystem, user passwords etc.

Mozilla security extension model is non-existent. All extensions are fully trusted by Firefox - no boundaries between extensions, they can modify each other without the user knowing. Can be coded in C++ and subject to memory corruption etc.

Extensions are very popular (billion downloads) and can be found everywhere - social networks, search engines, software packages (skype, anti-virus), anti-phishing toolbars.

Biggest problem is the human side of things - Addins.mozilla.org recommend extensions and add a 'recommended' icon next to them. Extension source code isn't read by third parties ("It's not the linux kernel").

There's no protection from an extension with a security problem, it will bypass any other phishing / malware protection extensions.

Extensions aren't signed (even the Mozilla ones), so we can't rely on people checking signatures.

If an extension is originally trusted, then subsequent updates won't go through the same review process.

No current guidelines for testing a Firefox extension, so security-assessement.com havce come up with their own methodology (whitepaper to be released this year, early next year):

• Isolated testing: Only test one extension at a time, on different OSes with different Firefox versions.
• Information gathering: How does the extension work, how is it installed? Look inside the extension package (a zip file) and look for malicious files (e.g. .exe, .msi etc)
• Look for XPInstall API functions that are dangerous (e.g. executing code on install)
• Look for suspicious files in the extension folder (e.g. softlinks to other directories)
• Look inside install.rdf - some tags can hide extensions so they don't appear in the addon manager
• Extensions can have the same description as other installed extensions, so two appear in addon manager
• Does the extension try to trick the user into thinking it's verified?
• Look for pointers outside the extension, or flags that expose the extension object or content to untrusted code (e.g. contentaccessible=yes or xpcnativewrappers=no)
• Extensions can be merged into the firefox UI - e.g. top toolbar, bottom status bar. They can also modify existing buttons e.g. Reload, Back, Forward or Home button.
• Use the extension. Check the DOM of a test page with the extension loaded (they used mozreply to do this)
• Debugging: can set breakpoints using Javascript debugger.
• Sandbox: can be sidestepped by replacing code inside the sandbox or evaluating it from outside
• XPCOM components: .dll or .so - compiled code that the extension may ship with, or may use existing components on the machine. May need to review source code or decompile. A bunch of components to watch out for.
• wrappedJSObject: removes the protection of the XPComComponent, so they are avoiding the firefox protection.
• Watch out for callback functions, which may be replaced / modified
• window.OpenDialog: Opens any URI with elevated chrome privileges
• Auth: Some expose credentials in plain text, e.g. GET or basic auth
• Auth: Some expose functionality via javascript that can side-step normal process
• Skype extension - a javascript call that any web page can use to start dialing your skype to any
• XSS: Watch out for XSS issues - can execute in the chrome zone from DOM events, embedded XSS, recursive iframes
• XSS: Extensions loading external scripts

They have applied their methodology to different extensions, and some responses have been slow or non-existent!

Here are some extensions that were demoed and had problems. They are all common or Mozilla recommended (all these have been fixed):

• FireFTP: Could include malicious code in the welcome method of an FTP server, and the browser would execute it. Showed a proof of concept sending the contents of win.ini to a different server, and using BeEf to control client.
• CoolPreviews: Susceptible to XSS if a data:// URI is used. Showed a remote code execution when right-clicking on a link and previewing it with CoolPreviews.
• WizzRSS: HTML and Javascript in the <description> tag of RSS feeds is executed in the chrome zone. Showed a reverse shell onto the Windows machine from a malicious users machine.

Extension developers and vendors haven't got a security disclosure process yet - they don't know how to deal with the issues yet. Some extensions don't even publish an email address for the author.

Tools:

• Firebug
• MozRepl
• BeEf - command console for an attacker to run script on the client computer.