Archiving: The insecurity of firefox addons
Just recently i’ve started looking into addon programming, just small little applets to either make my life easier and quicker or to help other people with the websites I help on.
I have recently seen how insecure these addon’s really are, when Mozilla ask if you trust the author I feel you really MUST trust the author OR go through all their code to check they haven’t anything malicious embedded.
I won’t go into detail about all the insecurities but there is a very basic keylogging attack, get javascript to record your keystrokes, then open up a webpage and push these keystrokes across.
You could program a unique identifier into the program such as their browser, operating system, host name etc and then filter these server side to build up a profile on literally millions of people’s computers.
I feel anything that listens to your keystrokes should alert you on your computer before it’s installed, it wouldn’t take much to write a checking tool to do this so I feel Mozilla should do this for everyone’s sakes.
At least if you are alerted to “this program uses your keystrokes” it might alert people a bit more.
