Closed Bug 621394 Opened 14 years ago Closed 14 years ago

Remote Keylogger Firefox Addon

Categories

(Firefox :: Security, defect)

defect
Not set
critical

Tracking

()

VERIFIED INCOMPLETE

People

(Reporter: cassiusmail, Unassigned)

References

()

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1.11) Gecko/20100701 AskTbMYC-ST/3.9.1.14019 Firefox/3.5.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.1.11) Gecko/20100701 AskTbMYC-ST/3.9.1.14019 Firefox/3.5.11 I will not delve into this addon, I see that the problem goes beyond. I believe that many addons such as these will arise, my suggestion to mitigate the problem at hand is to create a verification tool addons, example: Firefox addons trust. 1 - Implement the police for developing addons, where developers will have to send upload addon for Mozilla Firefox which will ensure that the addon does not contain codes that endanger the security of Firefox users. 2 - After ensuring the Mozilla Foundation code generates an MD5 or SHA1 rash on the file of the addon, this will be the signature trust Firefox addons. 3 - When a user decides to install a Mozilla Firefox addons, Firefox addon that causes the rash that is being installed and check the online subscription base of Firefox addons trust. 4 - If the rash of this addon is on the basis of trust Firefox addons installation is released indicating that the addon is safe. 5 - If the rash of this addon is not on the basis of trust Firefox addons installation is blocked indicating that the addon is not safe. "If you are sure you want to proceed will endanger their privacy. " obs. The signature verification is fast and lightweight, it only gives the existence of the rash that has a size of few bytes. Reproducible: Always
People have been believing "many" of these will arise for a long time (the video you link to is several years old) but for the most part they have not. There have been cases where externally downloaded and installed software adds unvetted browser objects to the system (historically for IE, more recently for Firefox also), but that's fairly incidental to Firefox addons since the same could be accomplished (and sometimes is) through pure binary hooks. By default the only trusted source for addons that users should use is https://addons.mozilla.org/ and a careful review process keeps this kind of malware from appearing. Unreviewed addons are a little too accessible for my tastes, but that unreviewed state is clearly marked (and these will be going away entirely in a future update on the site). This seems like a feature request, but it's not fleshed out enough to result in code work: I'm going to resolve this in favor of discussions in the newsgroups, IRC, or https://wiki.mozilla.org/ where you can find the future plans for the addons feature.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.