Firefox security test add-on contains backdoor

Firefox security test add-on contains backdoor

Summary: Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

SHARE:
TOPICS: Security, Browser
9

Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

However, using the Mozilla Sniffer add-on would have introduced an unexpected vulnerability in any application being tested — whenever a login form was submitted, the add-on secretly sent a copy of the URL, password and other details to an IP address presumably controlled by the malicious author.

The backdoor was uncovered by Mozilla user Johann-Peter Hartmann of SektionEins who was using the add-on to test the security of a friend's online game.

This was a pretty serious issue. The Mozilla Sniffer add-on overwrote some of the original Tamper Data files, and added a new script that injected injects a new function which was called whenever a form is submitted by the browser. The function looked for any forms that have non-empty password fields and then uses two other functions to send the data to the third-party, presumably a fraudster.

Oooops.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Just goes to show that a centralized repository is not the panacea...

    ...that some would have us believe it is.
    ye
    • RE: Firefox security test add-on contains backdoor

      @ye

      Still better than random downloads but nothing is to be trusted 100%.
      pj_mouse
    • @ye, it's better than the windoze way

      ..which consists of clicking on every goofy wizard in sight...
      ahh so
      • RE: Firefox security test add-on contains backdoor

        A "security" update is hacked to send your site/ID/password info to a third party, imagine what somebody in the Ukraine could do with your Amazon account. The response isn't "Thanks for the warning" but complaints about "windoze". Instead of making arrogant defensive comments, try something like "That's not what your momma said last night", at least you'd be amusing.
        rob07601
      • RE: Firefox security test add-on contains backdoor

        @rob07601
        Thanks for what? ye's built in hostility for all things not Micro$oft?<br><br>He knows good and well Open Source software thrives on a centralized repository and this was just another dig at that.<br><br>Stick around, son. You'll get the hang of it.<br><br>;)
        ahh so
    • RE: Firefox security test add-on contains backdoor

      @ye <a href="http://cupu.web.id/pulauweb-web-hosting-murah-indonesia/">Pulauweb Web Hosting Murah Indonesia</a>
      <a href="http://cupu.web.id/blogger-nusantara-blogpreneur-indonesia/">Blogger Nusantara Blogpreneur Indonesia</a>
      upinson
  • RE: Firefox security test add-on contains backdoor

    Security should not be an add-on function. The main reason IE8 gets good ratings is that you don't need add-ons to make it useful. Putting sites in the right security level and using In Private filtering gets IE8 by itself into the same level of security of Firefox with add-ons. Both of these get the best
    ratings (even stopping 80% or more of phishing scams, etc). None of the other browsers are even close to these two in blocking problems when you fall for it and click on a bad site.
    mswift1
    • Oh spare us the horsesh!t, puh-leease...

      That is so TIRED.<br><br>Think everybody's gonna give up Firefox over this?<br><br>Run along now. honeymonster's calling you.
      ahh so
    • eh?

      @mswift@...

      Um, when was the last time you used FF? Maybe it's time to look again. LOL
      Drakaran