
NoScript and other popular Firefox add-ons open millions to new attack - akavel
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
======
JoachimSchipper
The headline is very sensational. The actual research says that a malicious
extension can do its malicious work by reusing part of the code of existing
extensions, which may be less obvious than directly pwning the host.

The research isn't bad, but "here's a trick to hide (extension) malware using
(the code of) NoScript" is _very_ different from the most straightforward
reading of "NoScript is vulnerable".

~~~
andrewclunn
This is yet another article from Ars that has the stench of paid content.
Maybe conspiracy mongering, but it seems like they've done a lot of anti no
script / ad blocker stuff lately. Misinformation and scare tactics aren't
going v to make savvy users expose themselves to the tracking, invasive ads,
and malicious code of the unfiltered web. Some less savvy Ars readers may be
fooled though.

~~~
angry-hacker
Noscript is considered to be harmful for very very long time. They show ads to
Windows users that install Spyware.

~~~
digi_owl
Are you confusing noscript and adblockplus?

------
jccalhoun
noscript author's response:

"It's a story of FUD and sensationalism, which got reported in such a careless
way that now makes explaining and correcting readers' perception an uphill
battle."

[https://hackademix.net/2016/04/08/crossfud-an-analysis-of-
in...](https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-
research-and-sloppy-reporting/)

~~~
RubyPinch
> Adblock Plus is not less "vulnerable", so to speak, than the other mentioned
> add-ons, despite what the article states. It's just that those "researchers"
> were not competent enough to understand how to "exploit" it.

This, (plus the fact that ABP was harder to exploit than others via the
researchers methods), made me giggle a bit considering the pasts of the two
extensions

[https://google.com/search?q=adblockplus+noscript](https://google.com/search?q=adblockplus+noscript)

------
ryuuchin
Paper this article is based on can be found here[1].

I'm not aware that the tools they used or the source for the tools they used
was ever released although it was reportedly given to the Mozilla
reviewers[2]. Outside of the top 10 extensions they listed this makes it hard
to draw conclusions other than the fact that Firefox's extension architecture
leaves something to be desired although I'm not sure I would call it
surprising. Firefox has a long history of not making a push towards a more
secure platform. I'm not sure I would say they don't care but it's clearly not
a priority for them (in general, not specifically this incident).

This is speculating but I would imagine they may have integrated this into
their automated review process or at the very least done a more thorough scan
and contacted extension authors since they were reportedly given the tools.
Although a better question is could anything actually be done about this in
the extension's code (it may be in the paper, I didn't read it all the way
through)?

[1] [https://www.internetsociety.org/sites/default/files/blogs-
me...](https://www.internetsociety.org/sites/default/files/blogs-
media/crossfire-analysis-firefox-extension-reuse-vulnerabilities.pdf)

[2]
[https://github.com/gorhill/uBlock/issues/1534](https://github.com/gorhill/uBlock/issues/1534)

~~~
JoachimSchipper
Javascript is notoriously hard to analyze, and it's not clear to me that
Firefox should _want_ to isolate extensions from each other - yes, it stops
the most obvious form of this attack, but it also makes it impossible to
integrate things other than by making one mega-extension.

~~~
ryuuchin
> it's not clear to me that Firefox should want to isolate extensions from
> each other

I think it's more interesting that the new(?) extension API (Jetpack) which
was supposed to provide extension isolation is also apparently vulnerable to
this. If you want to make isolating extensions from each other opt-in then ok
but it should at least be able to do what it's designed to do.

------
ams6110
So, a malicious developer can create a browser extension that, when
deliberately installed by the user, can do malicious things. Who would have
guessed?

------
hackney
Instead of the incessant pandering to the, "look, it's insecure because of x",
we need to focus on how it IS secure and then making it even moreso across the
board. The pedantic, aint good enough, needs to change to how it can be
better.

