Makers of some of the most popular extension software used by the Firefox browser are not doing enough to secure their software, a security researcher said Wednesday. The problem is that many widely used Firefox extensions, including toolbars from Google, Yahoo, and AOL, do not use secure connections to update themselves, according to Christopher Soghoian, a security researcher.
The Indiana University doctoral student discovered the Firefox issue last month while examining network traffic on his computer. He noticed that many of the most popular Firefox extensions are not hosted on servers that use the very secure SSL Web protocol.
Although the corporation behind Firefox, Mozilla, hosts the majority of Firefox extensions on its own SSL-enabled Web site, it is common for commercial extension-makers such as Google to host their software on an unsecured site, Soghoian said in an interview.
This leaves users vulnerable to a “man-in-the middle” attack, where Firefox could be tricked into downloading malicious software from a site it mistakenly thought was hosting an extension.
It wouldn’t be easy for an attacker to pull this off, however. In one scenario, the hacker would set up a malicious wireless access point in a public area where people are using wireless connections. He could then redirect extension update traffic to a malicious computer. “An attacker who sets up a wireless access point can then infect anyone who connects to it,” Soghoian said.