Vigil@nce - Firefox: audit bypassing via Extension-Reuse
April 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious Firefox extension, and invite
the victim to install it, in order to perform operations through
other extensions already installed.
Impacted products: Firefox, SeaMonkey.
Severity: 1/4.
Creation date: 05/04/2016.
DESCRIPTION OF THE VULNERABILITY
The Mozilla team setup an audit process, in order to validate
extensions published on https://addons.mozilla.org/
However, a malicious extension can use low level features of other
extensions already audited, approved, and installed on victim’s
computer..
An attacker can therefore create a malicious Firefox extension,
and invite the victim to install it, in order to perform
operations through other extensions already installed.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Firefox-audit-bypassing-via-Extension-Reuse-19300