Alexa's Blog

As stated by Ryan Singel on his post on Wired Blogs, the Firefox extensions provided by those companies (and probable others too) have a serious flaw in the update routines.

When starting the browser, those extensions check for new version on the provider servers.The point is that the check should be done over a Secure Connection Layer (SSL) which encrypt all the data sent over the network and stop any sniffer to catch the request.

Those extensions made the check using a standard unencrypted connection, which allow a possible attacker to intercept the request and send back a malicious update, which once installed in your browser can monitor and steal any information you enter into your browser.This include any url you type and any value entered by you in the forms of html pages INCLUDING ones opened over an SSL connection.Remember that the encryption is used only in the communication protocol and that happen after you have completed a payment form for example and the browser send the collected data to the server.

Well, this was a matter of time. What upset me most is the fact that almost all the time the bigger treats are coming from big software providers which don´t bother to check the most basics tutorials about how to handle the updates in a secure way.

Millions of users are using those extensions from a very long time and they where exposed all the time to this treat.Worse is that there is the posibility to be already hijacked even if the hole was made public right now.Those are the exploits used by spammers and other bad guys to stole your private data.

Be very careful when choosing your Firefox extensions and look first what other people are saying about them.Having all kind of toolbars and buttons in Firefox might help you for your daily tasks, but can be a serious problem when you do private tasks or working with very sensitive data.

If you need more, read the Ryan´s story on Wired Blogs.

Take Care and Watch Yourself!