MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Size: px

Start display at page:

Download "MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions"

Mavis Price
5 years ago
Views:

1 MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October 2009, making it the second most popular browser in terms of current use worldwide after Microsoft's Internet Explorer [1]. One reason behind its popularity is the possibility to change the functionality and the appearance of the browser. These modifications are added by extensions. With the growing usage of the browsers, also the extensions will be used more and more. Another reason is the security, which is supposed to be better compared to closed source browsers. But as Firefox gains more users it will also get more attention from attackers. So it is important to know where the possible weaknesses in its security model are. In this paper i will give an overview of the risks that Firefox s extensions may have. When used in the wrong way, extensions may become a very big security threat. It is possible to overlay Firefox s code using extensions, even the code of other extensions. Also it is possible to change the way web pages are being displayed. Website defacement is easy to achive. Considering the latter it is important to find out if the current security model of Firefox s extensions is sufficient and if it is not, then what can be done to improve it. 2 The extension model Extensions work by overlaying the code of Firefox. It is done through the user interface. User interface is written using XUL (XML user interface language), which is combined with JavaScript, CSS, HTML elements. XUL-based applications load the code for their interface from chrome:// URLs. Code loaded from a chrome URL has extended, or chrome, privileges. The code running with chrome privileges is allowed to do everything, unlike the web content, which is restricted in several ways [2]. When loading content using a Chrome URI, Firefox uses the Chrome Registry to translate these Uri s into the actual source files on disk (or in JAR packages) [3]. Extensions can access the Gecko engine, which is a cross-platform layout engine. Access to the engine is provided through a middle layer named XPConnect, which allows JavaScript to interfere with XPCOM (Cross Platform Component Object Model). This component object model makes virtually all of the functionality of Gecko available as a series of components, or reusable cross-platform libraries, which can be accessed from the web browser or scripted from any Mozilla application. Applications that want to access the various Mozilla XPCOM libraries (networking, security, DOM, etc.) use a special layer of XPCOM called XPConnect, which reflects the library interfaces into JavaScript (or other languages). XPConnect glues the front end to the C++ or C programming language-based components in XPCOM, and it can be extended to include scripting support for other languages [4]. 3 Threats from the extensions 3.1 Website defacement Website defacement is the main topic of this paper. It is possible to change the way a web page is being displayed while it is being loaded. JavaScript with a specific event listener is enough to be able to change the content of a web page. DOMContentLoaded is the event listener that could be used. Fired on a Window object when a document's DOM content is finished loading, but unlike "load", does not wait until all images are loaded [5]. 1

2 I made an extension to test if I could use these methods to change the way a https page is being displayed. It worked; after the DOM had been loaded it was possible to modify the content before it was displayed. It shows that Firefox doesn t guarantee that a verified web page is always being displayed uniquely. 3.2 Tricking a user to think that he is using a secure site To be able to trick an user to think that a web page is secure, it is needed to make him see no difference between the real page and the fake one. Firefox uses several methods to change the user interface so that the user sees certain icons or extra information when using a secure site. Firefox classifies web pages into three categories: pages with no identity information, pages with basic identity information and pages with complete identity information. The last two are both encrypted pages whose domain has been verified but the latter also has the information about the owner of the site. To visualize the categorization it provides a colored button on the left side of the address bar since version 3.0. This area is called the site identity button. If the page has no identity information, then the button is colored grey, else if it is verified and uses encryption but doesn t have the information about the owner it will be colored blue and when the page has complete identity information it is colored green. It shouldn t be possible to change the color of the site identity button, as this is the first thing, which makes the user notice that he is using a secure site. But using only a few lines of code it is possible to overlay the site identity button s background color to make it look identical to the ones used on secure sites. This is done by overlaying the default background color with the chosen one. #identity-box { background: #339933; } /* For Mac OS a few more lines are needed */ Another security feature is the padlock icon, which is shown on secure sites. Firefox places the icon on the right side of the status bar. But there are no restrictions on the extensions overlaying the skin of the browser. It is possible to disable the icon with one line of code and add a false icon with a few more lines. Overlaying the browser.xul file with these lines added, the extension will add the identical padlock icon to the status bar. <statusbar id="status-bar"> <statusbarpanel id="testapp-status-bar-icon" class="statusbarpanel-iconic" src="chrome://testapp/skin/status-barpadlock.png" position="3" /> </statusbar> 3.2 Cross site scripting Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user [6]. Suggi Liverani and Nick Freeman at Defcon 17 any input rendered in the chrome is a potential XSS injection point. XSSin chrome is privileged code, so there are no same origin policy restrictions [7]. 4 Attack scenarios 4.1 Stealing sensitive information Using website defacement gives the attacker the opportunity to change the URL behind the name of the link on secure web page. The false link could lead to a visually identical web page, which is controlled by the attacker. Additionally the web site could have been modified in such a way that clicking on login or send information button would send the information also to the attacker. In addition a bad extension could collect the usernames and passwords, which are saved in Firefox and send these to the attacker. This could be done if a master password hasn t been set for viewing the saved passwords. 4.2 Adding security holes Suggi Liverani and Nick Freeman at Defcon 17. there are no security boundaries between extensions. It means that it is possible to write an extension, which alters the behavior of another extension [7]. Using that it would be possible to create security holes, for example allowing using cross 2

3 site scripting. For example an attacker has made a web page which injects code into the browser s chrome and he wants the user of his bad extension to visit that site. Attacker can set the default home page to his site, if he doesn t want to be hidden or open a new tab at a certain time and hope that the user won t understand what has happened. 5 How are extensions distributed Firefox is an open source project and anyone willing to learn the basics could write simple extensions. Because of that there are many who would like to get feedback about their extensions. Mozilla has made a web page for that, where anyone can post their extensions. There is a huge number of extensions being developed and they all can t be reviewed as they are submitted. The solution is that new extensions are sent to the sandbox, where the possibilities of distribution are somewhat limited. This is called a sandbox review system. The sandbox is an area for advanced users to test add-ons before they are reviewed for general use. In order to access the sandbox, you must enable it in your account settings. Caution should be used when installing sandboxed add-ons, as they have not been tested by an editor and may harm your computer [8]. In order to make an extension public, it is submitted for reviewing, but to do that there has to be some feedback from other developers. Reviewing is done by an editor. Editors are usually developers who like to review others extensions. Anyone who meets the requirements can apply to become an editor. The requirements are reviews and showing the understanding of the sandbox system. When two editors or administrators think that the candidate is ready then he will become an editor. This requirement style doesn t require much resource but it won t guarantee that the new editor has the proper knowledge to deal with security issues. Also an attacker could apply for becoming an editor and could have the right to accept bad extensions if the second editor hadn t noticed a possible threat to security. 6 How could bad extensions be distributed 6.1 Hijacking a public Wi-Fi Having control over the wireless network gives the possibility to fake the update of an extension and instead install the bad extension. Every time the browser starts it checks for updates for its extensions. Extensions which are hosted in Mozilla s official servers are updated using secure protocols but there are many popular extensions that use insecure protocols for transmitting updates. These extensions are a potential security threat. According to Chris Soghoian, the Indiana University doctoral candidate who discovered the weakness, the vulnerability exists for some of the most popular Firefox add-ons, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.[9]. 6.2 Installing a bad extension to a public computer Installing an extension is easy, it can be done using drag and drop. Dragging the extension file to the browser window initiates the installation. By default the extension is installed only to the user who installed the extension. In public computers it is possible for anyone to install an extension, as it doesn t require administrative rights. There is vulnerability when the public computer doesn t delete user profiles after every usage. For example, students in some classes are able to use the computers in administrative rights. 6.3 Using a trusted extension The trusted extensions that are hosted at Mozilla s official site don t need reviews for updates. After an extension has been granted trust it is possible for the developer to add bad code into the next update and the extension with the bad code will spread widely. 3

4 7 Ways of improving the security model At the moment the extension code is trusted by Firefox. It doesn t differentiate right of the extensions by the security level of the web site. User should always feel safe when visiting trusted and encrypted web sites; it shouldn t be possible to alter the way a secure site s content is being displayed. To change this behavior there are several solutions. The strictest would be to disable all extensions on secure web pages. But this could reflect on the popularity of Firefox. Also at the moment the extension model is built so that in order to disable an extension a restart is needed. To modify that it is necessary to rewrite the way Firefox uses extensions. Another solution would be to allow the use of trusted or certified extensions on the secure pages and to disable all other extensions. This faces the same problem as the latter with the restart. But if restarting could be avoided then this would probably be a better solution. As shown before, it is possible to change to content of the web page before it is displayed, this is done via modifying DOM. There should be a restriction regarding https pages, which would not allow modifications in DOM. The downside of this would be the impossibility to use extensions for blocking advertisements, as they are also a part of the content of the page. But usually there are not too many advertisements on secure pages and it is better to know that you are safe. At the moment there is a solution for all these problems, but many people may not like it. Namely when Firefox is started in safe mode, it disables all extensions and thus there is no threat from the extensions. Even if users know that a safer way exists, many won t like the idea of closing the current browser s window with all of its tabs just to open the same browser again. While working, it would take valuable time and changing the way users behave requires time and effort. They would have to know that extensions are not always safe, but it is more realistic that eventually the developers will change the extensions safer rather than tell the users that there is a potential threat to security and it is recommended to use safe mode. 8 Conclusion Current extension model has its flaws. Very little has been thought about the security. With the growth of the user base it is necessary to focus on the security or the browser might loose its status of being safe. Suggi Liverani and Nick Freeman at Defcon 17 the security model of Firefox is nonexistent. The code of the extensions is fully trusted and there are no boundaries between extensions [7]. The risk of attacks originating from extensions grows but users aren t aware of the dangers, because of that it is important to minimize the risks. To do that it is nessecary to make a new security model, which would consider the security of developing, distributing, updating, giving different rights to different extensions and limiting the rights on secure sites. 4

5 References [1] Browser Market Share (October 2009). Mozilla Firefox [9] A New Vector For Hackers -- Firefox Add- Ons 007/05/bungled_addon_updates_endanger.ht ml [2] Chrome [3] Building an extension _Extension [4] XPCOM [5] Gecko-Specific DOM Events Specific_DOM_Events [6] Cross-site Scripting (XSS) [7] Abusing Firefox Extensions ting_firefox_extensions/eusecwest09_- _Roberto_Suggi_Liverani_- _Nick%20Freeman_- _Exploiting_Firefox_Extensions.pdf [8] Sandbox review system US/firefox/pages/sandbox 5

The security of Mozilla Firefox s Extensions. Kristjan Krips

The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting