Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How the Mozilla Sniffer Backdoor Was Discovered

CmdrTaco posted about 4 years ago | from the hate-when-that-happens dept.

Firefox 201

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

cancel ×

201 comments

Native features in browser (1, Flamebait)

SquarePixel (1851068) | about 4 years ago | (#32912264)

I mean seriously, the addons give access to everything you do in the browser. A lot of people here on slashdot know not to run random executables from the Internet, but do nothing to check if their browser addons are secure and not malware.

This is why I love that Opera comes build-in with all the features you need and a lot more. Not only are they made using the same quality standards and conventions, there is no way some rogue developer could hide password stealing code in them.

Re:Native features in browser (5, Insightful)

Tar-Alcarin (1325441) | about 4 years ago | (#32912364)

there is no way some rogue developer could hide password stealing code in them.

And since Opera is not open source, there is no way to be sure of that.

Re:Native features in browser (5, Insightful)

Hijacked Public (999535) | about 4 years ago | (#32912374)

And Firefox is open source, and there is no way to be sure of it.

Re:Native features in browser (4, Insightful)

bsDaemon (87307) | about 4 years ago | (#32912400)

Unless you go through all the code yourself, there's no way to be sure of anything. And unless you're uber-bad-ass, its going to be really hard to understand every line in a massive code-base someone else wrote, let alone all they all play together. So, even if you do your own audit, you can't really be sure. Life's a bitch, isn't it?

Re:Native features in browser (4, Insightful)

jcochran (309950) | about 4 years ago | (#32912658)

Unless you go through all the code yourself, there's no way to be sure of anything.

Only thing that can be made about that statement is to point to a nice little presentation by Ken Thompson. Take a look at 'Reflections on Trusting Trust'. Almost certain you haven't seen it given your comment.

Re:Native features in browser (5, Informative)

bsDaemon (87307) | about 4 years ago | (#32912694)

No, I've seen it. I used to have a pretty decent email pen-pal thing going on with Ken about 10 years ago. He's a pretty cool dude. The point is, yes, even if you see the code, unless you have the code to the compiler and build it yourself, then you can't trust the binary. Basically, you can't trust anything you don't create from scratch. There could also be back-doors in ROM in the hardware. Which is why I go on to say how even if you do your own audit you can't actually trust anything. Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view that it doesn't even matter what you're auditing.

Re:Native features in browser (1, Informative)

Joce640k (829181) | about 4 years ago | (#32912754)

Source is ok ... but can you trust your compiler [scienceblogs.com] ?

Re:Native features in browser (1)

commodore64_love (1445365) | about 4 years ago | (#32913342)

>>>Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view
>>>

Sounds like a good argument for keeping code as short-and-simple as possible. I recently tried the Kolibri OS that fit on a single floppy. Obviously that means it has limited function, but it's also easy to review and understand the code because it's so short. Another more useful example is Utorrent, which is barely 8 megabytes - that code is also easy to review and understand because of its brevity.

Re:Native features in browser (4, Interesting)

Torodung (31985) | about 4 years ago | (#32913902)

Reminds me of a line in Doctor Who's last season:

Amy: You don't always tell me the truth.

The Doctor: If I always told you the truth, I wouldn't have to ask you to trust me.

Trust is not a state of absolute certainty or God-like understanding. In the end, it's a process of establishing your own comfort. You have to decide which risks matter to you personally, and which assurances are sufficient.

Trying to guarantee that every component and piece of software in a computer is "benign" to everyone is a fruitless, endless process.

But I certainly appreciate the complications you bring up. In the final analysis, all trust must be conditional, and revocable.

--
Toro

Re:Native features in browser (3, Insightful)

Anonymous Coward | about 4 years ago | (#32912678)

This is where the "many eyes" comes into play for open source...

Re:Native features in browser (3, Informative)

L4t3r4lu5 (1216702) | about 4 years ago | (#32914062)

Jim: This source is fine.
Jon: This is great, good work.
Jane: Clean and efficient, great addon.

*Create account: Jack*
Jack: Yeah, awesome stuff! Jim, Jon, and Jane are all correct.

*Create account: James*
James: I love this addon! No viruses here :D

Re:Native features in browser (2, Informative)

Pollardito (781263) | about 4 years ago | (#32912690)

Unless you go through all the code yourself, there's no way to be sure of anything.

you mean unless you go through the code, compile it yourself using a compiler whose code you've also audited and itself was not compiled by an unaudited compiler [bell-labs.com]

Re:Native features in browser (1)

bannable (1605677) | about 4 years ago | (#32912722)

Even if you read all the code, you still can't be sure [bell-labs.com] .

Re:Native features in browser (1)

maratumba (1409075) | about 4 years ago | (#32912924)

You are right. There is a reason it's called "code".

Re:Native features in browser (1)

shop S Mart (755311) | about 4 years ago | (#32913728)

I agree, my only hope is that by using a hugely popular open source browser (firefox) that hundreds of people much smarter than me have poked around inside it to make sure it isn't laced with malware and if something is found it's fixed/posted on popular sites or whatever to warn others. Addons however are more risky since not all addons are used/inspected by everyone obviously.

Re:Native features in browser (4, Interesting)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32912440)

It is impossible to be sure, all sorts of surprisingly devious side channels have been devised(that, and some fairly dramatically invasive behavior by vendors has become accepted as normal; after all, only a freetard would object to an application phoning home routinely...); but for something like Opera, where "non-malicious" network activity is fairly easy to characterize, checking for malicious network activity is far from impossible, without even touching the binary(something like Skype, on the other hand, where the network activity is a big, fat, blackbox, is a lot trickier).

In this case, for instance, the malice was flagged by somebody watching network traffic, which is pretty trivial on any platform that doesn't have a bad case of being a console/iProduct. A purely binary, closed source, application could have been caught in exactly the same way.

Re:Native features in browser (3, Insightful)

Runaway1956 (1322357) | about 4 years ago | (#32913192)

Uhhhmmmm - yeah, I think. I guess I'm a freetard. Now and then, I'll fire up Wireshark, and just watch the traffic. Yeah, I can see that my deviant son is browsing a porn site. I can see that the wife is checking her email and the banking. I can see that the other kid is looking for car parts. And - the other other kid is playing games. But, why on earth does he have packets going to http://xxx.xxx.xxx.xxx/ [xxx.xxx] ??? That isn't a game site - he's not browsing, or there would be a lot more packets. Hmmmmm. A little checking, and I holler at him. "Have you installed anything lately? Have you done a virus scan on your stupid Windows laptop? What is this site?" He looks at it, tells me it's nothing HE ever heard of, goes back to his machine, and does some checking. An hour or so later, he admits that he was testing some stupid schitz that one of his buddies recommended. One of the features happens to be a trojan.

I don't bother making reports - I guess if I did, I might get my name attached to some zero day thingy. Hmmmm. That might not be good either. The better known you are, the harder it is to stay anoynymous when you really WANT to be anonymous!

Re:Native features in browser (1)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32913532)

I hope the sarcasm in my use of "freetard" was sufficiently evident. I find the fact that it is considered normal for all sorts of software to report more or less whatever they want back to the mothership, in exchange for another few days of "You are only a suspected; but not yet confirmed, pirate. You may continue to use our software." rather disturbing.

Were any "respectable" software to be operating maliciously, this would probably be the easiest way to exfiltrate captured data. Because the phoning home is to stymie the wicked pirates, you can rationalize it being encrypted, and thus avoid trivial detection by network sniffing.

Re:Native features in browser (3, Interesting)

osgeek (239988) | about 4 years ago | (#32912546)

There's no way to be sure of anything, but as far as risk goes, you have to admit that trusting one vendor with a financial stake in not having a privacy loss scandal is a lot easier than trusting any random person in the world who can submit a plugin to the mozilla site.

I'm a software developer, but I'm not going to go over every line of source code for the applications or plugins that I install on my computer. Seriously, even if you did, have you ever read along with or participated in code obfuscation contests? Many developers with malicious intent can make evil code look totally innocuous.

Re:Native features in browser (1)

vegiVamp (518171) | about 4 years ago | (#32913340)

Vendors have financial stakes in privacy loss scandals ? That's apparently not how Suckerberg sees things.

Re:Native features in browser (2, Interesting)

mcgrew (92797) | about 4 years ago | (#32913746)

Seriously, even if you did, have you ever read along with or participated in code obfuscation contests?

Any obfuscated code, especially if it's FOSS, should be suspect. Either they have something to hide, or they're a shitty programmer. Either way, I don't want their code on my hardware.

Re:Native features in browser (4, Informative)

eddy (18759) | about 4 years ago | (#32912588)

>And since Opera is not open source, there is no way to be sure of that.

Sure there is, you can reverse-engineer it to see what it does. You know, just because all you have is the binary doesn't mean you've suddenly entered a magic land where nothing can be understood.

(I'm going to ignore "but can you trust your tools" asshatery)

Re:Native features in browser (2, Interesting)

commodore64_love (1445365) | about 4 years ago | (#32912838)

>>>And since Opera is not open source, there is no way to be sure of that.

I think we can trust the Opera developers. They've been around long enough (15 years), and they are the #1 browser in eastern Europe and Russia* so someone would have caught them by now, if they were thieves. ----- My main complaint about Opera's built-in features is it creates a memory hog. I don't need AdBlock or Bittorrent or Mail in my web browser. Using Firefox allows me to have a leaner program that is stripped of those features.

*
* Or so I've heard. I've never seen any proof.

Re:Native features in browser (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#32913612)

I don't need AdBlock

You really are a fucking moron, aren't you?

Re:Native features in browser (3, Insightful)

silanea (1241518) | about 4 years ago | (#32912378)

[...] Opera comes build-in with all the features I need [...]

FTFY. I prefer Firefox's way of offering a basic browser and moving extended or niche features to optional extensions to monolithic blocks like Opera. Of course there is a risk associated with this model, but in my case the benefits far outweigh that risk.

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32912592)

I prefer Firefox's way of offering a basic browser and moving extended or niche features to optional extensions

If only they had done that with:
  AwfulBar
  Bookmarks
  History
  Personas

Bookmarks and history would be great as extension addons due to the craptastic nature of the basic offering. I don't want a wrapper around your infantile implementation, I want to replace it wholesale.
Personas are retarded. You already have a theming engine, why do you need another one?
Awfulbar is awful.

Re:Native features in browser (1)

silanea (1241518) | about 4 years ago | (#32912654)

While I would argue that both bookmarks and history are integral parts of a modern browser - I cannot recall a single browser that does not have both in some form, with the possible exception of lynx - I agree with you on the other points. Both are nice ideas, and I really love the AwesomeBar, but both should be optional. In the same vein I am happy with Weave/Mozilla Sync, but I am hesitant to see it built into Firefox and Fennec.

Re:Native features in browser (1)

vbraga (228124) | about 4 years ago | (#32912862)

lynx does [isc.org] have bookmarks. I don't remember if it has something like history.

Re:Native features in browser (1)

commodore64_love (1445365) | about 4 years ago | (#32913458)

Can someone point me to a nice lean browser that can run in 32 megabytes (like utorrnt) but is not text-only (like Lynx). It doesn't seem to exist.

Re:Native features in browser (1)

VGPowerlord (621254) | about 4 years ago | (#32913690)

Can someone point me to a nice lean browser that can run in 32 megabytes (like utorrnt) but is not text-only (like Lynx). It doesn't seem to exist.

Client-side scripting and DOM manipulation puts a damper on that fairly quickly. The number of websites that don't work at all without client-side scripting is growing, and will only continue to grow.

maybe Dillo? (2, Informative)

mister_playboy (1474163) | about 4 years ago | (#32913694)

You could try Dillo [wikipedia.org] .

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32913784)

Netscape 3.0?

Re:Native features in browser (3, Insightful)

kyrio (1091003) | about 4 years ago | (#32913792)

History is retarded, I've had it disabled since I first started using browsers with the "feature". Bookmarks should also be an add-on since most home users really don't need it to save their Facebook and Hotmail links.

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32912798)

I am unfamiliar with this "awfulbar" you speak of, but I am aware of Awesomebar, which is perfectly fine.

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32913110)

Seriously, Firefox 3 came out like two years ago, people are still bitching about the improvements made to the URL bar? Get over it already. Either revert back to the old, inferior version of the URL bar or use whatever web browser people who are averse to change use.

Re:Native features in browser (1)

Qzukk (229616) | about 4 years ago | (#32913948)

AwesomeBar is one of the things I miss now that I switched to Chrome. (Nuke Anything is another, I'm not seeing an extension that can right click -> Remove This Object. Really helpful on sites like slashdot where shitty html makes invisible divs float over the top of the text like that <div id="slug-Bottom"> that's over the bottom 2-3 comments on every slashdot page.)

In Firefox I had AwesomeBar trained pretty good. "Q" brought me to my comments page, "f" pulled up the firehose, set to display journals, "sl" brought up the main slashdot site, and so on. I could get pretty much anywhere with one-two letters and tab completion. Now in chrome I have to type sla then hit right to complete slashdot.org, then wait a couple of seconds for Chrome to realize that I want more options, then I can get to my comments page or the firehose or whatever.

Re:Native features in browser (1)

thijsh (910751) | about 4 years ago | (#32912416)

It's the windows way...

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32912992)

Plugins are far more inherent to the Linux (and overall FOSS) design than they are to Windows or any other closed architecture. Mod this one troll.

Re:Native features in browser (3, Insightful)

Ephemeriis (315124) | about 4 years ago | (#32912558)

This is why I love that Opera comes build-in with all the features you need and a lot more

As a geek, I enjoy complexity to an extent. It's cool to have a gadget with lots of nifty features and shiny buttons. But even I'll admit that at some point it can become unwieldy.

I personally prefer a basic browser with a plug-in model that allows me to extend the functionality in whatever way I feel necessary. That way I can add all the shiny buttons I want, without having to deal with the unwieldy stuff that other people want.

Not only are they made using the same quality standards and conventions, there is no way some rogue developer could hide password stealing code in them.

Actually, there is.

One of the Opera developers could go rogue. Or some machine in their development environment could be compromised, which could lead to the distributed software being compromised.

And since Opera is not open source, we'd have to rely on the Opera developers themselves to find the issue. An open source model means that basically anyone with the time/inclination/skills can go in and take a look at the code.

Re:Native features in browser (1)

elrous0 (869638) | about 4 years ago | (#32912738)

From what I understand (never actually used it myself), Opera's adblock features are pretty weak compared to Firefox add-ons like adblock plus. And I doubt it comes with the ability to rip videos from YouTube built in, or the features of a dozen other Firefox add-ons I use regularly.

Re:Native features in browser (1)

mister_playboy (1474163) | about 4 years ago | (#32913754)

From what I understand (never actually used it myself), Opera's adblock features are pretty weak compared to Firefox add-ons like adblock plus.

You understand incorrectly. Opera's adblocking is just as capable as AdBlock+. Just use a good block list such as the one maintained by Fanboy [fanboy.co.nz] .

Re:Native features in browser (2, Insightful)

bjourne (1034822) | about 4 years ago | (#32912770)

Well, I like most people, run random executables but only if they are retrieved from trusted sources. Any package I install from my distros repository can potentially contain malicious code but I trust that the distro maintainers keep their stuff clean. I used to trust Firefox extensions downloaded from addons.mozilla.org in the same way, but not so anymore. That's why Chrome's and Opera's software models with built-in features over addons are superior to FF. Because you only have to trust one party instead of dozens of plugin authors.

Re:Native features in browser (3, Interesting)

kyrio (1091003) | about 4 years ago | (#32913916)

I like most people as well!

The only issue with Opera is that they keep adding retarded things like BitTorrent downloading and built in web servers. It also doesn't help that they try to change the entire UI with every milestone.

I still don't see myself switching away any time soon.

Re:Native features in browser (2, Interesting)

Jesus_666 (702802) | about 4 years ago | (#32913132)

This is why I love that Opera comes build-in with all the features you need and a lot more.

Except that it doesn't. I heavily rely on Firefox extensions to, for example, manage my tabs. It's entirely possible for me to work on three projects, each with ten to thirty tabs associated with them, while simultaneously using the same browser for personal stuff, which incurs further tabs. Having fifty or more tabs open at the same time is not unusual for me. Does Opera have an easy way of organizing a huge amount of tabs without having to use additional windows (which break the way I partition my screen)? Firefox has an extension for that. I can even suspend tab groups and open them again later if I know I won't need them for a while.

Likewise, is Dragonfly as powerful as Firebug? Can Opera give me the sent and received HTTP headers in realtime? User styles and plugins not distributed with the browser don't count; you're positing that Opera already comes with anything I need. Plus, what about ARM?


Don't get me wrong. Opera probably does come with anything a casual desktop/notebook user needs. Some people have requirements that don't mesh well with what the Opera devs thnk the average user wants, however, and in that case Opera becomes rather unattractive. Given that this is Slashdot, the assumption that the people here are average users may not be sound.

Re:Native features in browser (1)

XanC (644172) | about 4 years ago | (#32913972)

That tab grouping sounds like a really useful feature. What is the extension you use for that? I found a number of them that seem similar...

Re:Native features in browser (0)

Anonymous Coward | about 4 years ago | (#32914002)

Whats is that tab-managing addon you use?

Re:Native features in browser (1)

albedoa (1529275) | about 4 years ago | (#32913250)

This is why I love that Opera comes build-in with all the features you need and a lot more."

Why would I want a lot more than the features I need?

Re:Native features in browser (1)

poetmatt (793785) | about 4 years ago | (#32913610)

opera? no browser comes with all the features we need. If we did, it'd be the only browser we used. What a stupid statement.

Meanwhile, is there a consensus between browsers? No, in fact it's leaning quite the other direction - some like safari, chrome, firefox, ie, etc.

Firefox however, like the others, warns you to be careful of addons and warns what they do. So it's good that they caught this.

Re:Native features in browser (1)

operagost (62405) | about 4 years ago | (#32914078)

This is why I love that Opera comes build-in with all the features you need and a lot more.

Is it both a floor wax AND a dessert topping?

BlueHost (4, Interesting)

bsDaemon (87307) | about 4 years ago | (#32912340)

Looks like the stolen data was being sent to a hacked BlueHost account. Figures.

Re:BlueHost (1)

bannable (1605677) | about 4 years ago | (#32912460)

Anyone else find it disturbing that this is funnier than it is insightful?

Advertised purpose? (2, Interesting)

Anonymous Coward | about 4 years ago | (#32912390)

What was the addon supposed to do?

Re:Advertised purpose? (1)

Zerth (26112) | about 4 years ago | (#32912618)

Security penetration testing. Isn't that just alanis.

I'm thinking it wasn't backdoored, they just pointed it the wrong way around.

Re:Advertised purpose? (4, Informative)

Coopjust (872796) | about 4 years ago | (#32912718)

It was a modified version of Tamper Data that the author alleged "many problems have been solved in this version".

In addition to modifying several existing files, the author added a file called tamperPost.js that very deliberately sends every form submission to a remote server. You can see some of the code of this on the Netcraft article in the summary (or or a direct link to the image [netcraft.com] )

When you see the image, you can see that it was obviously a deliberate attempt to steal credentials.

Re:Advertised purpose? (0)

Anonymous Coward | about 4 years ago | (#32912744)

READ THE FUCKING ARTICLE, you cocksmoking teabagger!

Seriously, a screenshot of the add-on's entry on the Mozilla site is clearly shown, including the description of what it is.

Re:Advertised purpose? (0)

Anonymous Coward | about 4 years ago | (#32913318)

Now, now, calm down. Watch your blood pressure. Besides, you have no idea if that cocksmoker is a teabagger or not. He might be another fucking libtard for all you know.

It was bound to happen eventually.. (1, Insightful)

GrBear (63712) | about 4 years ago | (#32912446)

I'm sure there's some parallel regarding the Android vs Apple's logic in distributing apps.. but I'll likely be moderated a troll on /. for pointing them out..

Re:It was bound to happen eventually.. (4, Informative)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32912572)

Is there? Apple's review process doesn't demand source(and, given the review volume, there is Absolutely. No. Way they would be giving proper attention to detecting subtle malice, even if they did). The review process seems to be reasonably good at weeding out applications that crash horribly often enough that the reviewer will run into a crash, which blatantly violate the rules, which seem likely to be fodder for stories that will tarnish Apple's PR, or which "duplicate" some feature that exists or is on Apple's secret roadmap. It has also been rumored that they have some sort of static analysis tool to detect use of private APIs.

Nothing in that process would detect any but the most blatantly unsubtle malice(and, given that reviews tend to occur fairly quickly, something as simple as recording the date of first run, and not doing anything evil until 1 month has passed would probably count as "subtle" for the purposes of this exercise).

If malice is detected by a third party, or by some after-the-fact spot-check; both Apple and Android have practically identical capabilities to "unpublish and remove" an application from any device that hasn't been divorced from the mothership. For that matter, Mozilla can also issue FF updates that disable add-ons(as they did a while back for that MS .NET one, and as they have announced they will do here).

Re:It was bound to happen eventually.. (1)

RivenAleem (1590553) | about 4 years ago | (#32912636)

What parallel? There's no chance of people who already have this add-on having it magically taken away from them. You know, we gotta protect people's rights and leave them vulnerable to this add-on and all...

Re:It was bound to happen eventually.. (0)

Anonymous Coward | about 4 years ago | (#32912652)

Apple does not review the code of the application in the app store so I'm not sure what you're on about.

Re:It was bound to happen eventually.. (0)

Anonymous Coward | about 4 years ago | (#32912664)

Nothing of the sort. Apple do not analyse the functionality of something in their repository, they merely look at the toolkit, whether there's any sexual content, plus the instant rejection of anything using something remotely close to apple's trademarks.

seeing the recent fraud commited (2, Interesting)

Shivetya (243324) | about 4 years ago | (#32912674)

on Apple's store your suggesting we avoid Apple products? I figure you were going to imply Android as being less safe, but the only recent story about market safety I have seen is someone exploiting iTunes accounts to the benefit of a single developer.

though it would be interesting to have two bad apps released simultaneously into both markets and see which one gets caught first

Re:It was bound to happen eventually.. (1)

thoromyr (673646) | about 4 years ago | (#32913958)

ah yes, you brought them out (though you aren't modded troll at the moment). Seems people can't grasp the basic conceptual difference: open versus closed market place, only able to yammer that "apple doesn't see the source". Ah well.

Informative article (4, Informative)

Cathoderoytube (1088737) | about 4 years ago | (#32912456)

Good job not actually telling the name of the offending plugin in the article blurb there. 'A new severe bug in mozilla is allowing hooligans to steal your passwords. But we won't tell you which one until after the break!'

Re:Informative article (1, Informative)

Anonymous Coward | about 4 years ago | (#32912536)

RTFT.

Re:Informative article (1)

elrous0 (869638) | about 4 years ago | (#32912538)

Crazed gunman shooting up local mall...We'll tell you where after these messages for our sponsors.

Re:Informative article (0)

Anonymous Coward | about 4 years ago | (#32914118)

Crazed gunman shooting up local mall...We'll tell you where after these messages for our sponsors.

Reminds me of 9/11. Turn on the TV, talking heads blathering, blathering, blathering about fire and planes and airports. I change channels. More talking heads blathering about fire and planes and airports. I can't make heads or tails of it until finally some talking head has the presence of mind to say the World Trade Center has been attacked.

Re:Informative article (5, Informative)

renrutal (872592) | about 4 years ago | (#32912540)

From TFA:

An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Re:Informative article (0)

Anonymous Coward | about 4 years ago | (#32912686)

So people do install a plugin named like that? Wonderful. :)

Re:Informative article (2, Insightful)

cdrudge (68377) | about 4 years ago | (#32913262)

Would it have been so hard to have written "Mozilla pulled one of their Firefox add-ons, Mozilla Sniffer, earlier this week..." in the summary though.? Most of the people here have a hard enough time reading the summary, let alone the actual article linked to.

Re:Informative article (1)

idontgno (624372) | about 4 years ago | (#32913330)

Click The Fine Linky. Hell, it's Netcraft, so it's probably good reading anyway.

Oh, right, /. Where "tl;dr" is a way of life.

Re:Informative article (2, Funny)

Monkeedude1212 (1560403) | about 4 years ago | (#32913334)

“Mozilla Sniffer”

Seriously?

With the evil and nefarious scheme of stealing login info, this was their best attempt at hiding the true nature of the add-on?

Re:Informative article (3, Insightful)

stephanruby (542433) | about 4 years ago | (#32913578)

It was portraying itself as a security extension. If you think about it, that makes sense. Most anti-virus packages give you so many false positives flagging all the legitimate network tools, security tools, debugging tools, etc, that you're installing on your machine. You tend to disregard those warnings yourself when you know you're installing a security tool.

Re:Informative article (0)

Anonymous Coward | about 4 years ago | (#32912614)

The name of the plug in is Mozilla Sniffer, which is part of the title.

Re:Informative article (1)

elrous0 (869638) | about 4 years ago | (#32912650)

The title doesn't make this very clear. Aside from capitalizing the name, you would never know that was actually the name of the add-on. GP was right, it should have been named in the summary.

Re:Informative article (1)

Fumus (1258966) | about 4 years ago | (#32912756)

As per above. Someone downmod the OP and give some points to the AC.

Re:Informative article (2, Informative)

stephanruby (542433) | about 4 years ago | (#32913376)

That may because telling you the name was only half of the issue. The name of the plugin was 'Mozilla Sniffer', but the real name you should hunt down is 'Tamper Data' to make sure you get rid of this thing (not that the makers of the popular 'Tamper Data' extension did anything wrong, it was just that 'Mozilla Sniffer' was disguising itself as 'Tamper Data' by using its uuid and inserting the malicious part of its code into the 'Tamper Data' folder).

wait, add-ons don't have a permissions model? (5, Insightful)

FuckingNickName (1362625) | about 4 years ago | (#32912464)

Do you mean to say that, when I install a Firefox add-on, Firefox won't give a list of requested privileges? Why has it taken 30 years for people who think in Unix security terms to not catch up to the VMS "fine-grained privileges to executables for users" security model?

The whole regular user / root thing is awful. Microsoft is still doing it wrong because, while the NT kernel may approach the right idea, it builds atop it a mess of get-out-of-jail-free paths.

It's not impossible.

(1) By default, allow nothing;

(2) Never allow everything - require software to specify exactly what it needs;

(3) Classify permissions so the user is alerted more violently for more risky permissions - this may depend on the circumstances (e.g. a browser add-on usually shouldn't be asking for the same sort of privileges as backup software);

(4) Software which needs an unusually privileged environment may benefit from auditing and signing, but never make this compulsory because this pisses off everyone;

(5) But, by default, refuse in such circumstances and indicate why. The user needs to make a conscious effort to override a reasonable set of auto-refusal defaults;

(6) Distinguish explicitly between once, occasional, time-limited and forever permissions. To take a particularly insidious example: iPhones ask if you want to give permission for your app to read your GPS location. This isn't permission for the next 15 minuts or day; it's permission forever. That is wrong. Looked at from the other end, don't do a Vista and ask every time. This is worse than not asking at all.

More thoughts, guise?

Re:wait, add-ons don't have a permissions model? (1)

hedwards (940851) | about 4 years ago | (#32912526)

That's in some respects similar to what Google does with Android. While they don't allow you to choose, they did set up the virtual machine to tell you what the app was able to do so that you could get a quick yea or nay on it. And not auto updating if the capabilities changed.

Re:wait, add-ons don't have a permissions model? (1)

MORB (793798) | about 4 years ago | (#32913024)

And (unsurprisingly) Chrome handles extension permissions like this as well.

Re:wait, add-ons don't have a permissions model? (0)

Anonymous Coward | about 4 years ago | (#32912544)

Chromes the only thing I use with this model. And it's fairly basic;

Re:wait, add-ons don't have a permissions model? (0)

Anonymous Coward | about 4 years ago | (#32912576)

The average user just clicks the OK button, regardless of what warning text you show.

Re:wait, add-ons don't have a permissions model? (0)

Anonymous Coward | about 4 years ago | (#32912584)

Great plan, easily foiled by greasemonkey... The binary can be squeaky clean, you only need to drop a malicious JS in there... There are enough add-ons that may later add more functionality or content, how will you check that content again? Especially auto-updating-content or feed-ish add-ons are impossible to secure without some rigidly totalitarian rotten Apple rules...

Re:wait, add-ons don't have a permissions model? (1)

bunratty (545641) | about 4 years ago | (#32912676)

This is part of the reason to switch to the new Jetpack [mozilla.org] extension API from the old JavaScript code soup extension model.

From the Jetpack FAQ [mozillalabs.com] :

The Jetpack SDK lets you write add-ons that run in Firefox, Firefox Mobile, and as stand-alone applications using only the familiar technologies of the Web (HTML, Javascript, and CSS). Your add-ons will be faster to code and debug, easier to maintain, and more stable due to the extensible code library and the instant save-refresh development cycle. Your add-ons will also enjoy a stronger, more understandable security model that will keep your users safe.

Re:wait, add-ons don't have a permissions model? (4, Interesting)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32912806)

I think the basic problem is that the nature of the browser makes it pretty difficult to create permission sets that usefully control behavior.

In this case, for instance, the extension was explicitly stated to be(and, as I understand it, was) an extension for examining and modifying HTTP/HTTPS headers, including stuff like GET requests, and the like. Because it was malicious, it was, in addition to whatever modifications the user was making, also issuing a separate little request of its own, with the contents of form fields, to an IP controlled by the author.

You could, on a permissions basis, do things like segregate "extensions that modify browser chrome and only browser chrome" and prevent them from modifying pages at all, and you certainly can(and should) draw a line between "extensions that muck about with pages" and "Extensions that do stuff to the local filesystem"; but given that most of the useful extensions tend to muck around with webpages themselves, that introduces a very difficult security problem.

With conventional permissions setups, you are applying permissions to a set of objects(usually files; but can also be database values, APIs, etc.) that you created and thus know the sensitivity of. A webpage, though, is a collection of objects that some third party created. Unless you have some very clever ideas about how to parse a webpage and automatically categorize the "sensitivity" of various parts of it, it is virtually impossible to meaningfully assign a permissions structure to it. An extension rewrites a script on a webpage: is it making the user more secure(by preventing doubleclick from learning something)? is it making the user less secure(by diverting information to a malicious host)?

Fine grained permissions are a good thing; but you really can't create a useful permissions system(no matter how well designed and granular it may be), if you have no useful way of knowing how valuable the various resources to which you are allowing/denying/conditionally allowing access are. Since web browsers do most of their useful work on masses of objects provided by third parties(currently without any sort of value metadata, and even if there were an adopted standard for providing such, 3rd party value judgments still wouldn't be at all trustworthy.) it is a really hard problem to build a permissions model that is actually useful rather than merely strict.

Re:wait, add-ons don't have a permissions model? (5, Insightful)

Karellen (104380) | about 4 years ago | (#32913314)

I have a feeling that the Mozilla guys don't think in Unix security terms. Mozilla/Firefox is targetted more heavily towards Windows than Linux, and it shows in a lot of places that a lot of the developers think that way too.

e.g. The use/implementation of "profiles", which are a work-around to the problem of running on a system that does not support multiple user accounts (well), or where it is expected that multiple users use the same user account. Last I used Mozilla and Firefox on Windows, these were still pretty prominent. They're also included in Unix-based builds, where they're mostly pointless, instead of being IFDEFed out by default on those platforms.

See also the automatic updater. This is required on Windows, which does not have a centralised update system for 3rd party apps, and assumes each user will install their own copy of the software, or will have write privs to system software locations, or will have the Administrator password. It's redundant and useless on most Unices/Linux distros, but the code is still included by default.

It also prefers to bundle its own copies of 3rd party libraries, common practice on Windows where dependency handling doesn't exist, and 3rd parties generally do not bother to try to maintain backwards ABI compatibility between DLLs. Again this is contrary to the Unix way of doing things, where dependencies are well defined, and library authors take pains to ensure backwards-compatible ABIs. But still Mozilla software ships private copies of 3rd party libraries by default on Unix.

Mozilla software appears to be primarily written for Windows by Windows-based developers. Yes, it does work on Unix/Linux systems, but that's not how the developers think, and it shows.

next time use better typos/mistakes (0)

Anonymous Coward | about 4 years ago | (#32912496)

This guy is a native English speaker with a good education and almost surely a security professional trying to see how far he can get.
The typos he has NOT made give it away, among other clues:
(1) "it's" is always correctly used
(2) looks like he deliberately added plurals making it look as though his English is poor
(3) John "Devid"
(4) "check it out"
(5) "don't" is correct
(6) no other spelling characteristic Eastern European mistakes

Just my opinion, I could be wrong.

Simples (2, Funny)

Chrisq (894406) | about 4 years ago | (#32912684)

This guy is a native English speaker with a good education and almost surely a security professional trying to see how far he can get. The typos he has NOT made give it away, among other clues: (1) "it's" is always correctly used (2) looks like he deliberately added plurals making it look as though his English is poor (3) John "Devid" (4) "check it out" (5) "don't" is correct (6) no other spelling characteristic Eastern European mistakes

Just my opinion, I could be wrong.

Simples [comparethemeerkat.com]

That's what you get... (0, Redundant)

The MAZZTer (911996) | about 4 years ago | (#32912516)

.. when you install an unverified, experimental Firefox extension from an untrusted author! Firefox extensions are great because of their power to affect the entire browser and even the host computer, which is what made Firefox popular IMO. But this comes with obvious risks you shouldn't ignore!

Re:That's what you get... (0)

Anonymous Coward | about 4 years ago | (#32912680)

"With great power comes great responsibilites" ?

matter is : most users don't understand the amount of power they are given.

It was experimental, warnings were there (4, Informative)

Coopjust (872796) | about 4 years ago | (#32912640)

The addon was experimental, and whenever you try to install an experimental addon you have to check a box acknowledging it's experimental before the install button works, and it's tagged with a scary warning that it could blow up your computer or compromise the security of Firefox due to the lack of code review.

Not only that, but the author couldn't even use proper English in the addon description:

View and modify HTTP/HTTPS headers it's base on tamper data but many problems have been solved in this version u can check it out.

Given that, I hate to say that "people had it coming", but I figure people had ample warning that they were trying something that could be malicious.

Re:It was experimental, warnings were there (3, Funny)

mdm-adph (1030332) | about 4 years ago | (#32912750)

I think you're missing the point that there's probably quite a few people on the Internet today who read that description and -- at least to them -- there wasn't anything grammatically wrong with it.

Re:It was experimental, warnings were there (1, Funny)

Anonymous Coward | about 4 years ago | (#32913074)

I think you're missing the point that there's probably quite a few people on the Internet today who read that description and -- at least to them -- there wasn't anything grammatically wrong with it.

What u are talking about? u're english is not perfect either u no.

Stupid tax (2, Funny)

HBI (604924) | about 4 years ago | (#32913180)

Obviously, their grammatical misconceptions cost them something, this time.

Re:It was experimental, warnings were there (2, Insightful)

bunratty (545641) | about 4 years ago | (#32912752)

They had it coming, but some users really are dumb enough to fall for it. This is why Mozilla is also going to make it even harder to find unreviewed add-ons [mozilla.com] .

Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site.

netcraft confirms it (1)

mrzaph0d (25646) | about 4 years ago | (#32912828)

that extension is dead.

Addon called "Mozilla Sniffer" (5, Insightful)

DroppedAtBirth (776511) | about 4 years ago | (#32913462)

The addon was called "Mozilla Sniffer", and people still installed it? I would understand if this was some functionallity hidden in a valid sounding addon but its called "Mozilla Sniffer". User FAIL.

Re:Addon called "Mozilla Sniffer" (1)

russotto (537200) | about 4 years ago | (#32914072)

It could have been called "Steal all your passwords and send them to the Russian Mafia" and still some people would have installed it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...