On 2004-10-01, Mike Henley <[EMAIL PROTECTED]> wrote: > Hi. I'm using mozilla and mozilla firefox. I often install extensions > though only through the usual websites (mozilla.org, mozdev, > texturizer). > > Today though I tried to install an extension from > http://jgillick.nettripper.com/ and as such found myself wondering if > extensions comprmise the security of mozilla or firefox. > > I use firefox to access sites such as paypal and my bank. As such I > would like to ask the following questions... > > 1 - can someone make an extension that would allow it (while > performing its advertised function) to send my username/password > either from those stored in mozilla/firefox or as i enter them?
Yes. You should think of extensions the same way as other executables. Extensions can actually contain and launch binary executables, or they can use script to manipulate your system any way they want via the browser. There have been previous examples both of malicious extensions (installing adware and hijacking the user's home page by changing network settings), and also of popular extensions (with no malicious intent) having serious security flaws. > 2 - can such an application make it to the trusted sites? (mozilla, > mozdev, texturizer)? or is there a review process before such > extension is allowed to be distributed? As far as I know (I don't have first hand knowledge), the review process at all of those sites is informal, but it does exist - the maintainers will take into account whether the author is known to them and/or in the "community", and try and establish themselves or from feedback that the extension works and doesn't do anything obviously nasty. If they get reports from people that it does have nasty bugs (or, not that it's happened as far as I know, contains malicious code), they can pull the extensions. I think update.mozilla.org makes more of an effort to do that then the other two... So, it's unlikely that a blatently malicious extension would make it onto those sites. On the other hand, there isn't a careful review of the extension code or anything like it, so if someone was to put a little effort into participating in the "community" and made a useful extension with some hidden nastiness, they might be able to get around the informal safeguards. There's probably a higher chance of an extension author accidentally opening up security holes which could be exploited by malicious web sites. In general, you should make judgements about Mozilla/Firefox extensions in the same way that you would make judgements about downloading other applications. -- Michael _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
