Browser extensions are in the news lately, and not just for Firefox. Recently, hackers have corrupted several Google Chrome extensions, and are using them to display unwanted ads to unsuspecting users. For Firefox though, matters are a fair bit worse. It’s not just ads that Firefox users have to worry about, it’s the possibility of losing total control of their browser to a hacker, and that, of course, opens the door to losing control of your computer itself.
Chrome and Firefox handle extensions differently, and in the case of Firefox, extensions are allowed to share code. This opens up a window of potential exploitation. If the hackers can get one corrupted extension past Firefox’s manual code integrity checkers, and that extension gets downloaded by a user, it can begin passing code to other extensions with elevated privileges, and ultimately wind up with full control over a user’s browser. At that point, all bets are off. The now-controlled browser could download a malicious file in the background without the user’s knowledge, or the hacker could keep track of every keystroke logged by the user. In either case, that amounts to bad news.
It should be noted, however, that this hack only came to light after an extensive two years of testing. This is not the sort of attack that a garden variety hacker could, or would even think to pull off, but there are clearly hackers out there who could do such a thing, and given the nature of the attack, there’s virtually no defense against it.
There’s good news on that front, however. Firefox has already responded, reporting that that later this year, they’ll be releasing a new set of browser extension APIs that introduce multi-process architecture to Firefox, and by extension, to all the extensions users might install. This will, by definition, keep them from using the same code, which will solve the problem. Provided users update, of course, making it more important than ever to keep current with updates.