Here’s the bad news: There’s a new kind of browser attack that can take advantage of the normally helpful things that some of your extensions can do. It’s actually a rather ingenious attack. Rather than trying to infiltrate your browser and having it do something it shouldn’t, a malicious extension attempts to get your other extensions—which aren’t isolated from one another—to do things on its behalf.

The end result? It’s trickier to find the original attacker, since it’s basically hiding in plain sight. And this isn’t just an issue that affects lesser-known extensions. As researchers from Boston’s Northeastern University(Opens in a new window) found, nine of the ten most popular Firefox extensions could be exploited by another extension—one that appears to be totally benign and normal on its face, but is piggybacking off of other extensions to steal a user’s personal data or redirect them to malware-filled websites (for example).

“These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks. Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures,” reads a paper from said researchers, presented at Singapore’s recent Black Hat Asia security conference.

Just to show how easy it is for an attacker to exploit these vulnerabilities, The Register(Opens in a new window) reports that the researchers were able to upload a blatantly malicious—but harmless—extension to Firefox’s big gallery. The extension, dubbed “ValidateThisWebsite,” didn’t conceal its ambitions in its code whatsoever. And, yet, the extension still managed to make it through Mozilla’s security checks, even a more extensive “fully reviewed” analysis, without issue. (That’s likely because it’s not making any malicious calls to Firefox itself; it’s making other extensions do it once it’s installed in a user’s browser.)

Said researchers provided Firefox with an explanation of the process as well as a new Crossfire application that can assist with finding these sneaky extensions. Firefox vice president of product, Nick Nguyen, also issued a statement(Opens in a new window) that indicates Mozilla is actively working to secure up extensions and eliminate these cross-extension vulnerabilities.

Recommended by Our Editors

Mozilla Looks Beyond Firefox OS to the Internet of Things

“The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed,” it reads.

“Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative—our project to introduce multi-process architecture to Firefox later this year—we will start to sandbox Firefox extensions so that they cannot share code.”