X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

How can an add-on like Firesheep access and execute an external program like Winpcap? Is that a security flaw in Firefox?

Posted

I have been reading about the Firesheep add-on that allows the user to hijack sessions of users on the network by stealing the cookie. I understand that to prevent any application from stealing the cookie, the cookie should not be passed by the site without SSL. However, my understanding of how Firesheep works is that it interfaces with Winpcap (a network sniffer). So my question is "How can an add-on execute an external program or operating system command like Winpcap?" Can any add-on do this and should I be extremely afraid of downloading any add-on because of the potential that it could have complete access to my system?

Modified by Scott-L

Additional System Details

Installed Plug-ins

  • The Totem 2.30.2 plugin handles video and audio streams.
  • DivX Web Player version 1.4.0.233
  • This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox.
  • Shockwave Flash 10.1 r85

Application

  • User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.04 (lucid) Firefox/3.6.12

More Information

Is this a security flaw in the Firefox add-on interface where it should only be able to execute Javascript code, but allows much more?

Helper7677 165 solutions 1653 answers

Read this thoroughly: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/

Also: http://www.mydigitallife.info/2010/06/26/always-use-https-secure-addresses-in-firefox-with-https-everywhere/

Note that using https connection is determined by the web site you are visiting.

Modified by Helper7677

Question owner

I have read this thoroughly and it does not answer my question. My question is "Is this a security flaw in Firefox?"

Let me rephrase the question, "Does Firesheep take advantage of any security flaw in Firefox?" I'm guessing that it hooks into the web interface of another application (C & A) that then interfaces with Winpcap. So this means that Firefox would allow add-ons to access other sites (perhaps to upload information), so this would imply that add-ons could potentially be used to inject cross-site scripting, should the add-on be malicious. This may or may not be the way that Firesheep works, however, is this scenario possibly a security flaw in the Firefox add-on API?

the-edmeister
  • Top 10 Contributor
  • Moderator
3197 solutions 24403 answers

No, it's not a security flaw in Firefox or its' extension API's.

Firesheep exploits flaws in insecure wireless connections - HTTP, usually "public" or open wi-fi hotspots. Firesheep looks for unencrypted packets to and from 26 different domains, when users are connected thru an unencrypted wireless connection. If you download the Firesheep extension, open the XPI in a Zip utility program, and look in the \handlers\ folder, you'll see which domains are specifically targeted for "snooping" by Firesheep. Amazon, basecamp, bitly, cisco, cnet, dropbox, etc.

Question owner

I have downloaded Firesheep and unzipped the XPI file and found that my initial concern is true. The XPI file packages several DLLs and EXE files (see \platform\WINNT_x86-msvc) therefore that tells me that ANY add-on could have full access to any computer system that it is installed on, including accessing the hard drive, network, peripherals, etc. if the author has included DLLs or EXE files in the add-on to do so. In the case of Firesheep, it only needs Winpcap to bypass Windows drivers to sniff the network. It would seem more safe to me that Firefox add-ons would only have access to the DOM (via JavaScript), however, this is not the case.

Correct me if I'm wrong, but the ability to package executables in a Mozilla add-on could allow the author of the add-on to install and propagate viruses, worms, trojans, malware, data miners, etc. as well as steal passwords, hijack sessions, install/uninstall user software, dump/modify the Windows registry, steal (password) files, etc if this is what the author of the add-on is inclined to accomplish.

Modified by Scott-L

ehpysprog 0 solutions 3 answers

Helpful Reply

Hi Scott-L.

You asked a very good question and it turns out you're right. However, one must be aware that download an Addon on another website that Mozilla may be dangerous. Indeed, the Addons found on the Addon Center are checked (roughly). In addition, Firefox includes a blacklist that blocks addons identified as malicious.

More information here: http://www.computerworld.com/s/articl.../Mozilla_No_kill_switch_for_Firesheep_add_on?taxonomyId=17&pageNumber=1