"Mozilla Sniffer" Add-on Tests Security of Security Testers

An article on Netcraft describes the discovery of a back door that wheedled its way into the popular Web Application Security Penetration Testing collection of Firefox Add-ons.

The attacker exhibited some degree of mad genius by claiming the Add-on fixed problems with the very popular Tamper Data add-on — popular, it’s worth nothing, among security testers and web developers.

The back door was discovered by chance when a vigilant user noticed his browser sending HTTP traffic to an unknown web site. (Check out the article for more details.)

This would make a great example for Chapter Seven, Malware and Browser Attacks, of The Book. Whereas many attacks target vulnerabilities in plugins like PDF readers or Flash player, there has not been as great a number of (observed) back-doored or otherwise malicious plug-ins.

Mozilla Sniffer may be the first back-doored Add-on for Firefox, but it’s not the first one to be malicious. In December 2008 an Add-on dully labeled, “Basic Example Plugin for Mozilla,” was discovered to be siphoning users’ banking credentials from the browser.

Malicious plug-ins are a natural evolution of malware authors’ endeavors to pull valuable data from the browser. Plug-ins are cross-platform and don’t require buffer overflows or privileged access (other than having the user install it). In another sense these attacks are not really a dramatic evolution, but a small speciation of a well-established tactic1. As browser computing becomes more analogous with desktop computing the risks have simply shifted from downloading and installing an unverified .exe file to installing some unverified JavaScript as a browser extension.

Watch for more malicious plug-ins to follow the steps of Mozilla Sniffer. One improvement will likely be in the command-and-control channel. A more subtle plug-in might only launch on random pages or random times in order to decrease detection. Or the plug-in might have a pre-defined list of strings (bank, check-out, credit card, password) that cause it to trigger — although Mozilla Sniffer already did this. The plug-in could even check a twitter feed or a URI shortener to dynamically load commands or report its data to a twitter feed rather than a static IP address.

1 If you don’t believe in evolution then blame Noah for bringing a pair of hackers aboard the Ark. He squeezed them between the penguins and the dinosaurs. I personally doubt this account of history because of the dubious possibility of hackers breeding.