1 / 19

Hack Firefox to steal web-secrets

Hack Firefox to steal web-secrets. Sunil Arora. How many of you use Firefox ?. Firefox and extensions. Firefox Claimed to be most secure and most efficient web browser Firefox extensions A way to extend Firefox to customize or add more functionality to it

shlomo
Download Presentation

Hack Firefox to steal web-secrets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hack Firefox to steal web-secrets Sunil Arora

  2. How many of you use Firefox ?

  3. Firefox and extensions • Firefox • Claimed to be most secure and most efficient web browser • Firefox extensions • A way to extend Firefox to customize or add more functionality to it • Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension • Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions

  4. Agenda • Malware overview • Malware – How it works • A look at existing vulnerabilities • How malware can find its way on to victim’s Firefox • Live demo

  5. Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.

  6. Problem Statement John’s online world How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource(Gmail /Yahoo/Banking website etc)

  7. Secret List Target List Communicator Module Secret Collector Engine Malware -Architecture Our Malware is nothing but a malicious Firefox extension

  8. Malware - Secret Collector -I Intercept http requests being made by the browser Parse http request And Retrieve user typed Web secrets Normal http request process

  9. ??? Malware - Secret Collector - II How to intercept http request “Notifications” mechanism in Firefox • Different Components within the Firefox can register to send/receive notifications. • Some standard notifications -- • quit-application • memory-pressure • Domwindowopened / domwindowclosed • http-on-modify-request / http-on-examine-response

  10. Malware -Target List Set of websites we want to steal secrets for URL:https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd

  11. Malware - Secret List Set of collected secrets URL:https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name:Passwd Value:helloworld

  12. Communicator Module Secret List Target List Internet

  13. How it can find its way to john’s Firefox - I • Installing malicious extension • Command line silent install (firefox.exe –install –silent …XXX) • Using Firefox’s extension installation wizard • Copy malicious extension’s file in extension directory of Firefox

  14. How it can find its way to john’s FireFox - II • Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension • Installing the malicious extension exploiting vulnerability in some other existing application • Bundle it in some other popular extension and redistribute • Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension

  15. Firefox extension upgrade vulnerability • Firefox upgrade mechanism • enabling the extensions to poll an Internet server for updates • If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code. • Extensions fetching update from a http://www.xxx.com (non-SSL webserver) instead of https://www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.

  16. Facebook Extension • Facebook is a very popular social network site. It provides a FF toolbar as an FF extension. • Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability. • Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability • Once malicious extension is installed in FF. The victim’s FF is compromised.

  17. Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets Attack Flow Attacker’s update Server Hosting malicious extension Facebook extension update Server Y X John’s FF running Facebook extension Hacker running Master Server

  18. Advisory • Do not use public computer for important information exchange • Up-to-date Software • Install Firefox extensions from authentic sources (https://addons.mozilla.org) only • Regularly check list of installed extensions • Observe Firefox’s performance. Anomaly in performance may be due to an unwanted extension • Do not ignore extension install warning

  19. Thank U arora.sunil@gmail.com

More Related