SlideShare a Scribd company logo

Sunil - Hacking Firefox - ClubHack2007

Download as PPT, PDF
ClubHack
ClubHack

This document summarizes how malware can steal sensitive web information by exploiting Firefox vulnerabilities. It describes how a malicious Firefox extension could intercept HTTP requests, parse them to retrieve usernames, passwords, credit card numbers entered by the user on various websites. The malware would collect these secrets and send them to an external server via a Communicator Module. It then discusses techniques the malware could use to install itself on a victim's Firefox browser like exploiting other software vulnerabilities, bundling with popular extensions, or leveraging Firefox's extension upgrade process.

TechnologyNews & Politics
1 of 19
Hack Firefox to steal web-secrets Sunil Arora
How many of you use Firefox ?
Firefox and extensions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]
Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
[object Object],Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
Malware - Secret Collector - II ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],How to intercept http request “ Notifications” mechanism in Firefox ???
Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
Communicator Module Target List Secret List Internet
How it can find its way to john’s Firefox - I ,[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],How it can find its way to john’s FireFox - II
Firefox extension upgrade vulnerability ,[object Object],[object Object],[object Object],[object Object]
Facebook Extension ,[object Object],[object Object],[object Object],[object Object]
Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
Advisory ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank U [email_address]

Recommended

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentationSmart Mirror
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
Valency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
Nathan Winters
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virus
HTS Hosting
 

Recommended

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentationSmart Mirror
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
Valency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
Nathan Winters
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virus
HTS Hosting
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course PresentationJesse Emerick
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
Abdelhamid Limami
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
Sagilasagi1
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and remove
jreidmichele
 
Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategiesweichengwendao
 
interview
interviewinterview
interviewKanishka Singh
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,
walo0825
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
dianalzate87
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminado
milesape
 
Splash page_2
Splash page_2Splash page_2
Splash page_2wallpapergirl
 
Creativos V2. .
Creativos V2. .Creativos V2. .
Creativos V2. .
Inside Out Marketing
 
certificateMSU (17)
certificateMSU (17)certificateMSU (17)
certificateMSU (17)Kevin Parrish
 
Subtraccao e Adicao
Subtraccao e AdicaoSubtraccao e Adicao
Subtraccao e AdicaoRute Guilherme
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exportsbrianhodgson
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
AnbeFBECHeng
AnbeFBECHengAnbeFBECHeng
AnbeFBECHengCarsten Holm
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Roxana Mazilu
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09weichengwendao
 

More Related Content

What's hot

Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course PresentationJesse Emerick
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
Abdelhamid Limami
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
Sagilasagi1
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and remove
jreidmichele
 

What's hot (8)

Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course Presentation
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part One
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and remove
 

Viewers also liked

Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategiesweichengwendao
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,
walo0825
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
dianalzate87
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminado
milesape
 
Creativos V2. .
Creativos V2. .Creativos V2. .
Creativos V2. .
Inside Out Marketing
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exportsbrianhodgson
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Roxana Mazilu
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09weichengwendao
 
moca Poster a2 2
moca Poster a2 2moca Poster a2 2
moca Poster a2 2
Arai Ran
 
Elisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoElisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoSirlene Sena
 

Viewers also liked (20)

Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategies
 
interview
interviewinterview
interview
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminado
 
Splash page_2
Splash page_2Splash page_2
Splash page_2
 
Creativos V2. .
Creativos V2. .Creativos V2. .
Creativos V2. .
 
certificateMSU (17)
certificateMSU (17)certificateMSU (17)
certificateMSU (17)
 
Subtraccao e Adicao
Subtraccao e AdicaoSubtraccao e Adicao
Subtraccao e Adicao
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exports
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008
 
AnbeFBECHeng
AnbeFBECHengAnbeFBECHeng
AnbeFBECHeng
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
 
Photography.compressed
Photography.compressedPhotography.compressed
Photography.compressed
 
7
77
7
 
moca Poster a2 2
moca Poster a2 2moca Poster a2 2
moca Poster a2 2
 
Adam
AdamAdam
Adam
 
Elisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoElisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacao
 
Healbe
HealbeHealbe
Healbe
 

Similar to Sunil - Hacking Firefox - ClubHack2007

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
Peter Wood
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
File Inclusion.pdf
File Inclusion.pdfFile Inclusion.pdf
File Inclusion.pdf
Okan YILDIZ
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
Denise Bailey
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
DrMajidMumtaz
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
SadiaMuqaddas
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
Asif Raza
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
ROHITCHHOKER3
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
MarcoAntonioSotoVera
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
Wail Hassan
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
dkp205
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

Similar to Sunil - Hacking Firefox - ClubHack2007 (20)

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
File Inclusion.pdf
File Inclusion.pdfFile Inclusion.pdf
File Inclusion.pdf
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Password Attack
Password Attack Password Attack
Password Attack
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

More from ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
ClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
ClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
ClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
ClubHack
 

More from ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 

Sunil - Hacking Firefox - ClubHack2007

  • 1. Hack Firefox to steal web-secrets Sunil Arora
  • 2. How many of you use Firefox ?
  • 3.
  • 4.
  • 5. Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
  • 6. John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
  • 7. Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
  • 8.
  • 9.
  • 10. Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
  • 11. Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
  • 12. Communicator Module Target List Secret List Internet
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
  • 18.