The attacker exhibited some degree of mad genius by claiming the Add-on fixed problems with the very popular Tamper Data add-on — popular, it’s worth nothing, among security testers and web developers.
The back door was discovered by chance when a vigilant user noticed his browser sending HTTP traffic to an unknown web site. (Check out the article for more details.)
This would make a great example for Chapter Seven, Malware and Browser Attacks, of The Book. Whereas many attacks target vulnerabilities in plugins like PDF readers or Flash player, there has not been as great a number of (observed) back-doored or otherwise malicious plug-ins.
Mozilla Sniffer may be the first back-doored Add-on for Firefox, but it’s not the first one to be malicious. In December 2008 an Add-on dully labeled, “Basic Example Plugin for Mozilla,” was discovered to be siphoning users’ banking credentials from the browser.
Watch for more malicious plug-ins to follow the steps of Mozilla Sniffer. One improvement will likely be in the command-and-control channel. A more subtle plug-in might only launch on random pages or random times in order to decrease detection. Or the plug-in might have a pre-defined list of strings (bank, check-out, credit card, password) that cause it to trigger — although Mozilla Sniffer already did this. The plug-in could even check a twitter feed or a URI shortener to dynamically load commands or report its data to a twitter feed rather than a static IP address.
1 If you don’t believe in evolution then blame Noah for bringing a pair of hackers aboard the Ark. He squeezed them between the penguins and the dinosaurs. I personally doubt this account of history because of the dubious possibility of hackers breeding.