14 DAY TRIAL // The password-stealing Firefox extension banned by Mozilla from the official repository last week was distributed as part of a collection of add-ons meant for Web application penetration testers. Because of this, the attacker might have obtained access to websites and systems that are still in development.
Last Tuesday Mozilla announced the blacklisting and removal of an extension called “Mozilla Sniffer” from addons.mozilla.org. The add-on, which was downloaded 1,800 times and had 334 active daily users, was being used to steal login information inputted into Web forms.
According to research from Netcraft, even though marked as experimental, the “Mozilla Sniffer” was included in the “Web Application Security Penetration Testing” (webappsec) add-ons collection, which is maintained by a security company called Gotham Digital Science (GDS). This collection contains numerous tools (currently 83) valuable to security researchers and developers looking to test the security of new websites.
There are also strong indications that this was a targeted attack and that the extension's creator actually intended to have it added in this collection. One of these signs is that “Mozilla Sniffer” uses the UUID (unique identifier) of a very popular security add-on called Tamper Data, which is included in GDS' penetration testing collection.
This means that the rogue extension installed itself in the same folder as Tamper Data and even overwrote some of its files. The technique was meant to prevent users noticing weird traffic from investigating further, since Tamper Data is a trusted add-on.
Furthermore the extension's description contained false claims that “the addon was validated by MOZILLA validation and reviewed by more than one addon developers.” The creator even resorted to impersonation. His now deleted profile listed a name of “John Devid” and displayed the picture of John Paczkowski, deputy managing editor at All Things Digital.
Users who installed the “Web Application Security Penetration Testing” collection should review the security of the systems they tested immediately. “Many web applications that undergo security testing are not production ready and may have exposed vast amounts of data and resources to whoever has been harvesting the URLs and passwords stolen by this add-on,” researchers from Netcraft warn.
You can follow the editor on Twitter @lconstantin