Nine of the 10 most popular Firefox extensions can leave computers vulnerable to security intrusions and malware, warn researchers from Northeastern University. Of 10 popular add-ons researchers examined, only AdBlock Plus was found to be safe. More than 2,000 Firefox extensions for Windows and OS X computers were found to be vulnerable, including Firebug, Greasemonkey, Web of Trust, NoScript Security Suite, Video DownloadHelper, Downthemall!, Flash Video Downloader, FlashGot Mass Downloader and Download YouTube Videos as MP4.
The add-ons examined in the research are all available from Mozilla’s official repository for Firefox extensions.
The extensions themselves aren't themselves malware or don't contain malware. Instead, they have security flaws that malware can exploit. In Firefox’s extensions platform, an add-on can interact with other enabled add-ons. It can access data and functions from other installed and enabled extensions. Hackers can craft safe-looking extensions — malware posing as a valid extension — that ride on the clean, legitimate extensions. If you unsuspectingly install such an add-on, it can exploit other add-ons in ways that let it get to your system files (including your cookies, browsing history and stored passwords) or redirect your browser to a phishing web page.
In an email to Ars Technica, Firefox’s vice president of product acknowledged the existence of the risk described by the Northeastern University researchers. He assured users that Firefox developers are updating both the browser itself and its extensions to improve security. Mozilla's WebExtensions API, which is already available in Firefox, shields users from such risks. The team is working toward sandboxing Firefox add-ons so that they will work independently of each other in isolation, without sharing code or functions.
Meanwhile, protect yourself from potential attacks — and speed up your computer — by removing any problematic Firefox extensions from your computer. Click on the Settings button (the icon with three horizontal lines at the right end of the address bar). Select Add-ons to open the Add-on Manager, and click Extensions on the left pane of the Add-on Manager. Click the Remove button for each add-on that you want to remove. We recommend finishing with a full system scan using your preferred antivirus program.
[Image credit: GongTo / Shutterstock.com]
