[tor-talk] web browser add-on extensions vulnerabilities

Joe Btfsplk joebtfsplk at gmx.com
Sun Apr 10 21:12:45 UTC 2016


On 4/10/2016 5:36 AM, jb wrote:
> Tor Browser users:
>
> NoScript and other popular Firefox add-ons open millions to new attack
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
>
> TB supplies default extensions, from which two are TB project's own and should
> be subjected to an extension review process like those vetted by Mozilla.
>
> The researchers provide a CROSSFIRE tool to analyze them.
> Google search:
> CrossFire: An Analysis of Firefox Extension-Reuse
>
> Of course, one more reason to be careful about using add-ons in TB.
> jb
>
 From same page:
"Nine of the top 10 most popular Firefox add-ons contain exploitable 
vulnerabilities."
"Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and 
FlashGot Mass Down all contained bugs that made it possible for the 
malicious add-on to execute malicious code. Many of those apps, and many 
others analyzed in the study, also made it possible to steal browser 
cookies, control or access a computer's file system, or to open webpages 
to sites of an attacker's choosing."


More information about the tor-talk mailing list