2. What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be misused by malicious users. This presentation is intended to dispel a common myth Just using FIREFOX keeps you SECURE
3. Agenda Basic premise Understanding the Mozilla Platform Attacking Firefox Malicious Extensions XCS Some basic points to watch…. That’s All Folks …
9. Mozilla Platform Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform
10. Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <?xml version="1.0"?> <?xml-stylesheethref="chrome://global/skin/" type="text/css"?> <window id="vbox example" title="Example 3...." xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox> </window>
11. Mozilla Platform XBL: XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements. scrollbar { -moz-binding: url('somefile.xml#binding1'); } -- “binding1” is the id of the binding
12. Mozilla Platform XPCOM: Cross platform component model from Mozilla. Nerve center of the Mozilla platform. XPCOM has some Similarity to CORBA and Microsoft COM.
23. The content of the file should be the location of the extension codeBeware: When this file exists in the folder the extensions is installed automatically it does not require any human interaction.
24. Extension Security! Mozilla extension security model is completely flat Extension code is treated as fully privilegedby Firefox Vulnerabilities in extension code can result in full system compromise No security boundaries between extensions An extension can silently modify/alter other extensions
25. The Potential Statistics – Firefox Browser Market Share Beyond 20% globally since November 2008, more than 50% in certain regions/countries Source: Marketshare - marketshare.hitslink.com Over 2 billion add-ons and growing
27. Concerns on AMO Everyone can write extension and submit to AMO (even us ) AMO review process lacks complete security assessment Few extensions signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions. Experimental extension (not approved yet) are publicly available
29. Extension and Malware Some people have already exploited this concept FormSpy - 2006 Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9 extension Steal passwords, credit card numbers, and e-banking login details Firestarterfox - 2008 Hijacks all search requests through multiple search engines and redirects them through Russian site thebestwebsearch.net Vietnamese Language Pack - 2008 Shipped with adware Vietnamese Language Pack - 2008 Shipped with adware Might happen in the near future… Malware authors bribe/hack famous/recommended extension developer/vendor Initial benign extension, malware is introduced in a 3rd/4th update
30. Attacking Firefox ! Now that we have seen the basic architecture & problem, let’s have some fun
31. Anatomy of an Extension These are the components of every extension. They are archived together into the XPI file format. Sample Files inside a XPI file exampleExt.xpi: /install.rdf /chrome.manifest /chrome/ /chrome/content/ /browser.xul /browser.js
32. Malicious Extensions We will build a malicious extension which will Log all Key Strokes and send them remotely Execute native code Extract stored passwords Add a malicious site to the NoScriptwhitelist DEMO
33. Interesting Finds In the course of making this presentation I found some interesting things
42. What Can We Look For? Suspicious single file(s) in the extension folder. XPI are archives - can be un-Zipped and checked for any packaged executables Check the install.rdf for common pitfalls mainly <em:hidden> Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.
43. What Should a Developer Do? That’s a whole presentation by itself Don’t bypass wrappers Don’t trust content From the un-trusted context. Don’t use eval() Follow this link : https://developer.mozilla.org/en/Security_best_practices_in_extensions
45. Last Words We discussed some ways to subvert the Mozilla Platform This list is not by any means exhaustive There are some strategies like sandboxes which can be bypassed New features like themes open new avenues ! Last, Mozilla is a secure platform but can be made to do lots of tricks… So some care should be taken.