How can an add-on like Firesheep access and execute an external program like Winpcap? Is that a security flaw in Firefox?
I have been reading about the Firesheep add-on that allows the user to hijack sessions of users on the network by stealing the cookie. I understand that to prevent any application from stealing the cookie, the cookie should not be passed by the site without SSL. However, my understanding of how Firesheep works is that it interfaces with Winpcap (a network sniffer). So my question is "How can an add-on execute an external program or operating system command like Winpcap?" Can any add-on do this and should I be extremely afraid of downloading any add-on because of the potential that it could have complete access to my system?
Modified by Scott-L
Additional System Details
- The Totem 2.30.2 plugin handles video and audio streams.
- DivX Web Player version 22.214.171.124
- This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox.
- Shockwave Flash 10.1 r85
- User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:126.96.36.199) Gecko/20101027 Ubuntu/10.04 (lucid) Firefox/3.6.12
Note that using https connection is determined by the web site you are visiting.
Modified by Helper7677
I have read this thoroughly and it does not answer my question. My question is "Is this a security flaw in Firefox?"
Let me rephrase the question, "Does Firesheep take advantage of any security flaw in Firefox?" I'm guessing that it hooks into the web interface of another application (C & A) that then interfaces with Winpcap. So this means that Firefox would allow add-ons to access other sites (perhaps to upload information), so this would imply that add-ons could potentially be used to inject cross-site scripting, should the add-on be malicious. This may or may not be the way that Firesheep works, however, is this scenario possibly a security flaw in the Firefox add-on API?
No, it's not a security flaw in Firefox or its' extension API's.
Firesheep exploits flaws in insecure wireless connections - HTTP, usually "public" or open wi-fi hotspots. Firesheep looks for unencrypted packets to and from 26 different domains, when users are connected thru an unencrypted wireless connection. If you download the Firesheep extension, open the XPI in a Zip utility program, and look in the \handlers\ folder, you'll see which domains are specifically targeted for "snooping" by Firesheep. Amazon, basecamp, bitly, cisco, cnet, dropbox, etc.
Correct me if I'm wrong, but the ability to package executables in a Mozilla add-on could allow the author of the add-on to install and propagate viruses, worms, trojans, malware, data miners, etc. as well as steal passwords, hijack sessions, install/uninstall user software, dump/modify the Windows registry, steal (password) files, etc if this is what the author of the add-on is inclined to accomplish.
Modified by Scott-L
You asked a very good question and it turns out you're right. However, one must be aware that download an Addon on another website that Mozilla may be dangerous. Indeed, the Addons found on the Addon Center are checked (roughly). In addition, Firefox includes a blacklist that blocks addons identified as malicious.