Topic: Security

Firefox security test add-on contains backdoor

Summary: Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

By Adrian Kingsley-Hughes for Hardware 2.0 | July 15, 2010 -- 07:03 GMT (00:03 PDT)

Follow @the_pc_doc

Kinda ironic that a security add-on for Firefox contained a backdoor that leaked confidential information to an unknown third-party.

However, using the Mozilla Sniffer add-on would have introduced an unexpected vulnerability in any application being tested — whenever a login form was submitted, the add-on secretly sent a copy of the URL, password and other details to an IP address presumably controlled by the malicious author.

The backdoor was uncovered by Mozilla user Johann-Peter Hartmann of SektionEins who was using the add-on to test the security of a friend's online game.

This was a pretty serious issue. The Mozilla Sniffer add-on overwrote some of the original Tamper Data files, and added a new script that injected injects a new function which was called whenever a form is submitted by the browser. The function looked for any forms that have non-empty password fields and then uses two other functions to send the data to the third-party, presumably a fraudster.

Oooops.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments

Log in or register to join the discussion

Just goes to show that a centralized repository is not the panacea...

...that some would have us believe it is.

ye
15 July, 2010 07:57

Reply Vote
- RE: Firefox security test add-on contains backdoor
 
 @ye
 
 Still better than random downloads but nothing is to be trusted 100%.
 
 pj_mouse
 15 July, 2010 09:40
 
 Reply Vote
- @ye, it's better than the windoze way
 
 ..which consists of clicking on every goofy wizard in sight...
 
 ahh so
 15 July, 2010 16:48
 
 Reply Vote
 - RE: Firefox security test add-on contains backdoor
 
 A "security" update is hacked to send your site/ID/password info to a third party, imagine what somebody in the Ukraine could do with your Amazon account. The response isn't "Thanks for the warning" but complaints about "windoze". Instead of making arrogant defensive comments, try something like "That's not what your momma said last night", at least you'd be amusing.
 
 rob07601
 17 July, 2010 07:48
 
 Reply Vote
 - RE: Firefox security test add-on contains backdoor
 
 @rob07601
 Thanks for what? ye's built in hostility for all things not Micro$oft? He knows good and well Open Source software thrives on a centralized repository and this was just another dig at that. Stick around, son. You'll get the hang of it. ;)
 
 ahh so
 17 July, 2010 13:58
 
 Reply Vote
- RE: Firefox security test add-on contains backdoor
 
 @ye <a href="http://cupu.web.id/pulauweb-web-hosting-murah-indonesia/">Pulauweb Web Hosting Murah Indonesia</a>
 <a href="http://cupu.web.id/blogger-nusantara-blogpreneur-indonesia/">Blogger Nusantara Blogpreneur Indonesia</a>
 
 upinson
 11 October, 2011 06:19
 
 Reply Vote
RE: Firefox security test add-on contains backdoor

Security should not be an add-on function. The main reason IE8 gets good ratings is that you don't need add-ons to make it useful. Putting sites in the right security level and using In Private filtering gets IE8 by itself into the same level of security of Firefox with add-ons. Both of these get the best
ratings (even stopping 80% or more of phishing scams, etc). None of the other browsers are even close to these two in blocking problems when you fall for it and click on a bad site.

mswift@...
15 July, 2010 10:40

Reply Vote
- Oh spare us the horsesh!t, puh-leease...
 
 That is so TIRED. Think everybody's gonna give up Firefox over this? Run along now. honeymonster's calling you.
 
 ahh so
 15 July, 2010 16:52
 
 Reply Vote
- eh?
 
 @mswift@...
 
 Um, when was the last time you used FF? Maybe it's time to look again. LOL
 
 Drakaran
 19 July, 2010 05:59
 
 Reply Vote