SlideShare a Scribd company logo

Hack Firefox to steal websecrets

G
guestb3d416

This document summarizes how malware can steal sensitive web information by exploiting Firefox vulnerabilities. It describes how a malicious Firefox extension could intercept HTTP requests, parse them to retrieve usernames, passwords, credit card numbers entered by the user on various websites. The malware would collect these secrets and send them to an external server via a Communicator Module. It then discusses techniques the malware could use to install itself on a victim's Firefox browser like exploiting other software vulnerabilities, bundling with popular extensions, or using a Firefox extension upgrade vulnerability.

Technology
1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Hack Firefox to steal web-secrets Sunil Arora
How many of you use Firefox ?
Firefox and extensions Firefox Claimed to be most secure and most efficient web browser Firefox extensions A way to extend Firefox to customize or add more functionality to it Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions
Agenda Malware overview Malware – How it works A look at existing vulnerabilities How malware can find its way on to victim’s Firefox Live demo
Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
Intercept http requests being made by the browser Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
Malware - Secret Collector - II Different Components within the Firefox can register to send/receive notifications. Some standard notifications -- quit-application memory-pressure Domwindowopened / domwindowclosed http-on-modify-request / http-on-examine-response How to intercept http request “ Notifications” mechanism in Firefox ???
Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
Communicator Module Target List Secret List Internet
How it can find its way to john’s Firefox - I Installing malicious extension Command line silent install (firefox.exe –install –silent …XXX) Using Firefox’s extension installation wizard Copy malicious extension’s file in extension directory of Firefox
Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension Installing the malicious extension exploiting vulnerability in some other existing application Bundle it in some other popular extension and redistribute Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension How it can find its way to john’s FireFox - II
Firefox extension upgrade vulnerability Firefox upgrade mechanism enabling the extensions to poll an Internet server for updates If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code. Extensions fetching update from a http ://www.xxx.com (non-SSL webserver) instead of https: //www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.
Facebook Extension Facebook is a very popular social network site. It provides a FF toolbar as an FF extension. Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability. Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability Once malicious extension is installed in FF. The victim’s FF is compromised.
Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
Advisory Do not use public computer for important information exchange Up-to-date Software Install Firefox extensions from authentic sources (https://addons.mozilla.org) only Regularly check list of installed extensions Observe Firefox’s performance. Anomaly in performance may be due to an unwanted extension Do not ignore extension install warning
Thank U [email_address]

More Related Content

PPTX
Wordpress security 101 202
James Ruffer
 
PPT
Security presentation
Smart Mirror
 
PPTX
Vulnerability assessment of PHP Frameworks
Valency Networks
 
PDF
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
PDF
Wannacry Virus
East West University
 
PDF
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
PPT
Today's malware aint what you think
Nathan Winters
 
PPTX
The trojan horse virus
HTS Hosting
 
Wordpress security 101 202
James Ruffer
 
Security presentation
Smart Mirror
 
Vulnerability assessment of PHP Frameworks
Valency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
Wannacry Virus
East West University
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
Today's malware aint what you think
Nathan Winters
 
The trojan horse virus
HTS Hosting
 

What's hot (8)

PPTX
Web server security challenges
Martins Chibuike Onuoha
 
PDF
Techno Savvy Course Presentation
Jesse Emerick
 
PPTX
Introduction to Malwares
Abdelhamid Limami
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
PPTX
MALWARE AND ITS TYPES
Sagilasagi1
 
PPT
Ne Course Part One
backdoor
 
PDF
Scaling Web 2.0 Malware Infection
Wayne Huang
 
ODT
Symptoms of aol and remove
jreidmichele
 
Web server security challenges
Martins Chibuike Onuoha
 
Techno Savvy Course Presentation
Jesse Emerick
 
Introduction to Malwares
Abdelhamid Limami
 
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
MALWARE AND ITS TYPES
Sagilasagi1
 
Ne Course Part One
backdoor
 
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Symptoms of aol and remove
jreidmichele
 

Similar to Hack Firefox to steal websecrets (20)

PDF
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
PDF
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
PDF
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
PDF
Hacktivityonly 121013141039-phpapp02
Комсс Файквэе
 
PDF
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
PPTX
Firefox security (prasanna)
ClubHack
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
PDF
The Evil Friend in Your Browser
Achim D. Brucker
 
PPTX
Firefox (in)Security
Prasanna Kanagasabai
 
PPTX
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
 
PDF
Ce hv6 module 53 hacking web browsers
Vi Tính Hoàng Nam
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Web Security - Introduction
SQALab
 
PPTX
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
PDF
Disclosing Vulnerabilities for Fun and Profit
n|u - The Open Security Community
 
DOCX
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
PDF
About Firefox
s1180171
 
PDF
Slide
s1180179
 
PPT
Security 101
Red Gate Software
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
Hacktivityonly 121013141039-phpapp02
Комсс Файквэе
 
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Firefox security (prasanna)
ClubHack
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
The Evil Friend in Your Browser
Achim D. Brucker
 
Firefox (in)Security
Prasanna Kanagasabai
 
Chrome Extensions: Masking risks in entertainment
Eduardo Chavarro
 
Ce hv6 module 53 hacking web browsers
Vi Tính Hoàng Nam
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Web Security - Introduction v.1.3
Oles Seheda
 
Web Security - Introduction
SQALab
 
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Disclosing Vulnerabilities for Fun and Profit
n|u - The Open Security Community
 
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
About Firefox
s1180171
 
Slide
s1180179
 
Security 101
Red Gate Software
 

Recently uploaded (20)

PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Cloud computing and distributed systems.
kkkkkhan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KodekX | Application Modernization Development
KodekX
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Hack Firefox to steal websecrets

  • 1. Hack Firefox to steal web-secrets Sunil Arora
  • 2. How many of you use Firefox ?
  • 3. Firefox and extensions Firefox Claimed to be most secure and most efficient web browser Firefox extensions A way to extend Firefox to customize or add more functionality to it Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions
  • 4. Agenda Malware overview Malware – How it works A look at existing vulnerabilities How malware can find its way on to victim’s Firefox Live demo
  • 5. Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
  • 6. John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
  • 7. Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
  • 8. Intercept http requests being made by the browser Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
  • 9. Malware - Secret Collector - II Different Components within the Firefox can register to send/receive notifications. Some standard notifications -- quit-application memory-pressure Domwindowopened / domwindowclosed http-on-modify-request / http-on-examine-response How to intercept http request “ Notifications” mechanism in Firefox ???
  • 10. Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
  • 11. Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
  • 12. Communicator Module Target List Secret List Internet
  • 13. How it can find its way to john’s Firefox - I Installing malicious extension Command line silent install (firefox.exe –install –silent …XXX) Using Firefox’s extension installation wizard Copy malicious extension’s file in extension directory of Firefox
  • 14. Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension Installing the malicious extension exploiting vulnerability in some other existing application Bundle it in some other popular extension and redistribute Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension How it can find its way to john’s FireFox - II
  • 15. Firefox extension upgrade vulnerability Firefox upgrade mechanism enabling the extensions to poll an Internet server for updates If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code. Extensions fetching update from a http ://www.xxx.com (non-SSL webserver) instead of https: //www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.
  • 16. Facebook Extension Facebook is a very popular social network site. It provides a FF toolbar as an FF extension. Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability. Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability Once malicious extension is installed in FF. The victim’s FF is compromised.
  • 17. Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
  • 18. Advisory Do not use public computer for important information exchange Up-to-date Software Install Firefox extensions from authentic sources (https://addons.mozilla.org) only Regularly check list of installed extensions Observe Firefox’s performance. Anomaly in performance may be due to an unwanted extension Do not ignore extension install warning