Thursday, 25 March 2010

Serious security flaw in Personas for Firefox


Firefox proves it's capable of beating
Internet Explorer in silly exploits.
With the release of Firefox 3.6 and the automatic inclusion and enabling of Personas, the popular alternative to Microsoft's Internet Explorer is showing signs that it's no better. For the unaware, Persona is a feature of Firefox that allows one to 'theme' their browsers with images. Once a Mozilla-developed addon, it's now included, installed, and enabled by default in the latest browser release.

The problem with the addition to the default install of Firefox is that it introduce a gaping hole.

The Problem



Besides it being shoved down the throat of the unsuspecting installer, it would not take much effort to introduce graphic images or even worse potential code into the Persona, thus creating grief for the user. Shortly after the release of 3.6, an exploit was found where a website could potentially hijack the displayed image and then display something else. This is done without the user's intervention or permission.

Persona appears to rely on a set, arbitrary list of domains that are permissible to make changes based on specific code embedded on a theme site. This essentially means that there are pages that are capable of changing the look based on an action such as a MouseOver or OnClick.

However, just as the previously-mentioned exploit demonstrated that Persona made no authenticity of the data being fed and thus made a cross-site scripting (XSS) attack possible, it has now become apparent that there is a man-in-the-middle (MitM) attack that is doable. By simply redirecting the unencrypted, unverified traffic to an alternative server, one can simply perform the same functions that of the Persona website itself.

The lack of forced-SSL creates this problem as Firefox and Persona are unable to differentiate between the two servers. It is because of this that the 3.6 release is still subject to a serious security hole that remains to be patched. If one were to discover a method to have execute code instead, this could create a rather large security problem that would obviously be quite embarassing.

To add to this, the problem is worse in browsers 3.5 and lesser that have the addon as opposed to the integrated feature. In this case, there are multiple domains that the extension looks for and permits to changing the look and feel.

Demonstration



By simply forcing all traffic to the Persona site from a virtual machine to one of my personal servers, I was able to create an environment where Firefox 3.6 presumed it was on the appropriate website and enabled me to use the MouseOver feature to change the Persona's theme.


Click to enlarge and see the effects of the problem.


As you can see, the page has been modified and even though it goes through with the event trigger without batting an eye. No modification or changes had been made to the browser priorĂ¢€”this is a stock browser.

Affected software



All Mozilla 3.6 releases up to 3.6.2, and any pre-3.6 release that includes the Persona addon. This is not operating system-specific either.

The Mozilla Foundation has been contacted and the problem is filed under bug 554856.

Workaround



It appears that disabling Personas in 3.6 requires a significant amount of effort as it's included automatically and without any means of exemption during install. The simplest solution until Mozilla addresses this would be to either drop to a 3.5 release without the extension or stop using the browser all together.

Fix



Mozilla can address this in a few ways:


  1. Force all Personas to require user permission before installation.

  2. Just like how extensions are installed via Mozilla's addons page, enable forced-SSL and do not allow Personas to be installed without.

  3. Have all Personas signed.

  4. Allow the user to completely disable Persona with ease.



Point two should be one of the most important things done to prevent this from becoming a further problem.

Conclusion



Because of this flaw, I advise to take the workaround to heart. I would like to thank aydiosmio on 2600net for initially pointing out the flaw to me. Be this a reminder to all to not allow software to update without your permission.