Hack Firefox to steal

web-secretsSunil Arora

How many of you use Firefox ?

Firefox and extensions

Firefox Claimed to be most secure and most efficient

web browser Firefox extensions

A way to extend Firefox to customize or add more functionality to it

Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension

Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions

Agenda

Malware overview Malware – How it works A look at existing vulnerabilities How malware can find its way on to

victim’s Firefox Live demo

Lets meet john

Uses internet for social networking. For example Facebook, orkut, myspace etc.Uses Email for professional as well as

personal communication. For ex. Gmail, Yahoo or Corporate webemail

Uses internet for his credit card transactions. For ex. Citibank, ICICI

bank, HSBC etc

Uses internet banking for managing his day to day finance activity

Blogs on internet for professional as well as personal purpose.

John’s online worldProblem Statement

How to retrieve values of elements How to retrieve values of elements like username, password, credit like username, password, credit

card number, IPIN etc for a card number, IPIN etc for a particular web resourceparticular web resource (Gmail (Gmail

/Yahoo/Banking website etc)/Yahoo/Banking website etc)

Malware -Architecture

Target List

Secret List

Secret Collector Engine

Communicator Module

Our Malware is nothing but a malicious Firefox extension

Intercept http requests being made by the browser

Malware - Secret Collector -I

Normal http request process

Parse http requestAnd

Retrieve user typed Web secrets

Malware - Secret Collector - II

Different Components within the Firefox can register to send/receive notifications.

Some standard notifications --quit-application memory-pressureDomwindowopened / domwindowclosedhttp-on-modify-request / http-on-examine-

response

How to intercept http request

??? “Notifications” mechanism in Firefox

Malware -Target List

Set of websites we want to steal secrets for

URL: https://www.google.com/AuthNumber of attributes: 2Attribute Names: Email, Passwd

Malware - Secret List

Set of collected secrets

URL: https://www.google.com/AuthNumber of attributes: 2Name: Email, Value:john@gmail.comName:Passwd Value:helloworld

Communicator Module

Target ListSecret List Internet

How it can find its way to john’s Firefox - I

Installing malicious extension Command line silent install (firefox.exe –

install –silent …XXX) Using Firefox’s extension installation wizard Copy malicious extension’s file in extension

directory of Firefox

Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension

Installing the malicious extension exploiting vulnerability in some other existing application

Bundle it in some other popular extension and redistribute

Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension

How it can find its way to john’s FireFox - II

Firefox extension upgrade vulnerability

Firefox upgrade mechanism enabling the extensions to poll an Internet

server for updates If an update is available, the extension will

typically ask the user if they wish to upgrade, and then will download and install the new code.

Extensions fetching update from a http://www.xxx.com (non-SSL webserver) instead of https://www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.

Facebook Extension

Facebook is a very popular social network site. It provides a FF toolbar as an FF extension.

Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability.

Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability

Once malicious extension is installed in FF. The victim’s FF is compromised.

Attack Flow

Facebook extension update ServerAttacker’s update ServerHosting malicious extension

Untrusted public network

John’s FF running Facebook extension Hacker running Master Server

X Y

What is IP of update server

Update server is at Y

Fetches Target Lists

Sends collected Secrets

Advisory

Do not use public computer for important information exchange

Up-to-date Software Install Firefox extensions from authentic sources

(https://addons.mozilla.org) only Regularly check list of installed extensions Observe Firefox’s performance. Anomaly in performance

may be due to an unwanted extension Do not ignore extension install warning

Thank U

arora.sunil@gmail.com