Firefox extensions are popular, well-established and used by millions of people around the world. Some of these extensions are recommended by the Mozilla community, and are implicitly trusted by the masses. Little is known about Firefox extensions from a security perspective and our research intends to fill this gap.The talk is divided in two parts: theory and practice. First, we will explore the security model of Firefox extensions and present a security testing methodology. Next, we will illustrate how we applied the theory and discovered severe vulnerabilities in the most popular and recommended Firefox extensions. Examples of exploits will also be demonstrated.

After this talk, attendees will have gained a better understanding of the security implications, threats and risks of using and deploying Firefox extensions. Security professionals and auditors will be able to use our material as a security testing framework when auditing Firefox extensions.

| | | | | | | | | | |