Using certain Firefox addons, such as the popular Google, Facebook, and LinkedIn addons, could leave your computer open to hackers, according to security expert and Indiana University graduate student in informatics Christopher Soghoian. Thankfully, tools such as NoScript, Greasemonkey, and AdBlock Plus are safe. Problems can arise, says Soghoian, because of the way the likes of the Facebook addon is updated via an external server rather than Firefox’s parent system Mozilla.
Addons affected by the security vulnerability include:
- Google Toolbar and Google Browser Sync
- Yahoo Toolbar
- Del.icio.us Extension
- Facebook Toolbar
- AOL Toolbar
- Ask.com Toolbar
- LinkedIn Browser Toolbar
- Netcraft Anti-Phishing Toolbar
- PhishTank SiteChecker
“Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers,” says Soghoian on his slight paranoia blogspot.
Reading between the lines, however, Soghoian’s suggestion that we all remove these “commercial” addons at once, is perhaps a little over the top. If you can trust your DNS, never use public wireless access and have enough understanding of your router setup to ensure you are not compromised through that method (simply ensure you set a new password and never use the default!), then you should be perfectly safe.
Soghoian’s claims millions of users are at risk, and could be victim to malicious software being installed on your computer that could hijack e-banking sessions, steal emails, send spam from your machine. He adds that, “Only those [addons] that have been downloaded from the official Firefox Add-Ons page are safe.
Other, mainly commercial, extensions are also afflicted says Soghoian, who recommends user uninstall all these addons pending the release of security patches that preclude the issues.
Having been told how powerful and safe Firefox would be compared with other highly susceptible browsers, perhaps the tide is now turning. Maybe it is time to strip back our browsers and run with a minimalist approach – no addons, no tweaks, no plugins. It could become very boring, very quickly. So, instead, be very aware of the problem, make sure you are security-enabled whenever you connect wirelessly or through a DNS that is not provided by your ISP (OpenDNS is a better alternative than the DNS offered by an access point.) But, most of all, do not leave your router running with the default passwords. Lists of default passwords are available across the web to wouldbe criminals. Better safe than sorry.
In case you were curious as to where you had heard the name Christopher Soghoian before, he was infamously raided by the FBI in 2006 for posting information about airport security that allegedly jeopardized homeland security. Hence the odd photo of him on his site in orange overalls being rubber-gloved by an officer of the law, presumably.
For a quick run through of removing Firefox addons check out this post. And, if you want to be really secure, disconnect your internet connection and uninstall Firefox altogether and maybe taking up gardening instead.