Abusing Firefox Addons

Presented at DEF CON 17 (2009), Aug. 1, 2009, 2 p.m. (50 minutes).

Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why. This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits. Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.

Presenters:

  • Roberto Suggi Liverani - Senior Security Consultant, Security-Assessment.com
    Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Oracle and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.
  • Nick Freeman - Security Consultant, Security-Assessment.com
    Nick Freeman is a security consultant at Security-Assessment.com, based in Auckland, New Zealand. After a couple of years of building systems for companies he has turned to breaking them instead, and spends his spare time searching for shells and the ultimate combination of whisky and bacon.

Links:

Similar Presentations: