Security researchers have warned that hundreds of popular extensions for the Firefox browser have exposed millions of users to hack attacks.
Researchers from the Northeastern University in Boston discovered a flaw that allows hackers to stealthily execute malicious code hiding behind a seemingly benign extension, such as NoScript and Firebug, and steal data.
The flaw is attributed to a weakness in Firefox’s extension structure, which fails to isolate various browser add-ons. This allows them to connect to the capabilities of other popular third-party extensions.
"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks," the researchers wrote in a paper presented at Singapore’s Black Hat security conference.