How can an add-on like Firesheep access and execute an external program like Winpcap? Is that a security flaw in Firefox?
I have been reading about the Firesheep add-on that allows the user to hijack sessions of users on the network by stealing the cookie. I understand that to prevent any application from stealing the cookie, the cookie should not be passed by the site without SSL. However, my understanding of how Firesheep works is that it interfaces with Winpcap (a network sniffer). So my question is "How can an add-on execute an external program or operating system command like Winpcap?" Can any add-on do this and should I be extremely afraid of downloading any add-on because of the potential that it could have complete access to my system?
Modified by Scott-L
All Replies (5)
Read this thoroughly: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/
Note that using https connection is determined by the web site you are visiting.
Modified by Helper7677
I have read this thoroughly and it does not answer my question. My question is "Is this a security flaw in Firefox?"
Let me rephrase the question, "Does Firesheep take advantage of any security flaw in Firefox?" I'm guessing that it hooks into the web interface of another application (C & A) that then interfaces with Winpcap. So this means that Firefox would allow add-ons to access other sites (perhaps to upload information), so this would imply that add-ons could potentially be used to inject cross-site scripting, should the add-on be malicious. This may or may not be the way that Firesheep works, however, is this scenario possibly a security flaw in the Firefox add-on API?
No, it's not a security flaw in Firefox or its' extension API's.
Firesheep exploits flaws in insecure wireless connections - HTTP, usually "public" or open wi-fi hotspots. Firesheep looks for unencrypted packets to and from 26 different domains, when users are connected thru an unencrypted wireless connection. If you download the Firesheep extension, open the XPI in a Zip utility program, and look in the \handlers\ folder, you'll see which domains are specifically targeted for "snooping" by Firesheep. Amazon, basecamp, bitly, cisco, cnet, dropbox, etc.
I have downloaded Firesheep and unzipped the XPI file and found that my initial concern is true. The XPI file packages several DLLs and EXE files (see \platform\WINNT_x86-msvc) therefore that tells me that ANY add-on could have full access to any computer system that it is installed on, including accessing the hard drive, network, peripherals, etc. if the author has included DLLs or EXE files in the add-on to do so. In the case of Firesheep, it only needs Winpcap to bypass Windows drivers to sniff the network. It would seem more safe to me that Firefox add-ons would only have access to the DOM (via JavaScript), however, this is not the case.
Correct me if I'm wrong, but the ability to package executables in a Mozilla add-on could allow the author of the add-on to install and propagate viruses, worms, trojans, malware, data miners, etc. as well as steal passwords, hijack sessions, install/uninstall user software, dump/modify the Windows registry, steal (password) files, etc if this is what the author of the add-on is inclined to accomplish.
Modified by Scott-L
Hi Scott-L.
You asked a very good question and it turns out you're right. However, one must be aware that download an Addon on another website that Mozilla may be dangerous. Indeed, the Addons found on the Addon Center are checked (roughly). In addition, Firefox includes a blacklist that blocks addons identified as malicious.
More information here: http://www.computerworld.com/s/articl.../Mozilla_No_kill_switch_for_Firesheep_add_on?taxonomyId=17&pageNumber=1