full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New Vulnerability agai

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions

From: Joey Mengele <joey.mengele_at_nospam>
Date: Wed May 30 2007 - 15:57:59 GMT
To: <full-disclosure@lists.grok.org.uk>, <csoghoian@gmail.com>

Hash: SHA1

Hello List,

>Frequently Asked Questions
>Q: Who is at risk?
>A: Anyone who has installed the Firefox Web Browser and one or
>vulnerable extensions. These include, but are not limited to:
>Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us
>Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser
>Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.

Don't you mean anyone who has these installed and is using a rogue or compromised DNS server?

>Q: How many people are at risk?
>A: Millions. Exact numbers for each toolbar/extension are not
>by the vendors. Google Toolbar, which is one of the most popular
>the vulnerable extensions, is installed as part of the download
>process with WinZip, RealNetworks' Real Player and Adobe's
>Google publicly pays website publishers $1 for each copy of
>Firefox +
>Google Toolbar that customers download and install through a
>publisher's website.
>Google confirmed in 2005 that their toolbar product's user base
>"in the millions". Given the number of distribution deals that
>been signed, the number of users can only have grown in size

Oh stop being such a drama queen. Are you suggesting "millions" have their DNS compromised and their home routers owned? Isn't this bug rather inconsequential for these people anyway?

>Q: When am I at risk?
>A: When you use a public wireless network, an untrusted Internet
>connection, or a wireless home router with the default password

Duh. You don't need to be running some silly toolbar to be at risk in this scenario.

>Q: What can I do to reduce my risk?
>A: Users with wireless home routers should change their password
>something other than the default.

Are you really suggesting wide scale wireless home router compromise? Is there an army of hacker dudes driving around compromising unprotected wireless routers in the millions that I am not aware of? Surely the Security Focus PharmConMeter(TM) would have alerted me if this were the case!

>Q: Why is this attack possible?
>A: The problem stems from design flaws, false assumptions, and a
>of solid developer documentation instructing extension authors on
>best way to secure their code.

See also "because your DNS server is owned"

>Description Of Vulnerability

Blabla, you are a technical genius. Let's move on Dr. Chris.

>When Are Users Vulnerable
>Users are most vulnerable to this attack when they cannot trust
>domain name server. Examples of such a situation include:
> * Using a public or unencrypted wireless network.
> * Using a network router (wireless or wired) at home that has
>infected/hacked through a drive by pharming attack. This
>risk can be heavily reduced by changing the default password on
>home router.

Hahahahahahha. Drive by pharming. What a fucking joke. This industry is the best.

>Fixing The Problem
>The number of vulnerable extensions is more lengthy than those
>in this document. Until vendors have fixed the problems, users
>remove/disable all Firefox extensions except those that they are
>they have downloaded from the official Firefox Add-ons website
>(https://addons.mozilla.org). If in doubt, delete the extension,
>then download it again from a safe place.

No way dude, use The Internet Explorer!

>Self Disclosure/Conflict of Interest Statement
>Christopher Soghoian is a PhD student in the School of Informatics
>Indiana University. He is a member of the Stop Phishing Research
>Group. His research is focused in the areas of phishing, click-
>search privacy and airport security. He has worked an intern with
>Google, Apple, IBM and Cybertrust. He is the co-inventor of
>pending patents in the areas of mobile authentication, anti-
>and virtual machine defense against viruses. His website is
>http://www.dubfire.net/chris/ and he blogs regularly at

Impressive. The scholarly source Wikipedia [1] says you are also that guy that made boarding passes for Al Qaeda? Kudos.

>Information on this vulnerability was disclosed for free to the
>listed vendors.

Oi! Such a deal.


[1] http://en.wikipedia.org/wiki/Christopher_Soghoian -----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5

wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P 3eYeDo7toYMiT7dV/mKgMSzO3XNVmgKrlrBafiieGxbaOFL1Spu5wKiz04G8DiQs5D7y vbWeQe6o68NYwCikyE4Ed5Hs7EWJFz+6R86x0KfQ3Nn+P3L/tnssUhkmMXHeGCOLZgVi CVVCzxM=
-----END PGP SIGNATURE----- -- Click for free info on business schools and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1I6ylOR9cWSogD0jO1TmrlUWwa/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/