I spy a spy
Recently, I discovered that the author of several Firefox add-ons has turned some of them into spyware designed to steal passwords from unsuspecting users. This post details the classic man-in-the-browser Trojan horse attack to raise awareness about shortcomings in Firefox’s WebExtensions API and the process for approving add-ons for distribution via the Firefox Add-ons website.
A gift for Troy
A year ago, Mozilla eliminated the so-called “legacy” extension platform in favor of a new WebExtensions API largely copied from Google Chrome’s extension API. This caused my AVIM extension to become incompatible with Firefox 57 and above, inconveniencing many Vietnamese-speaking Firefox users who depended on it to browse and communicate in their native language. I remain committed to eventually rewriting AVIM as a WebExtension, but there are significant technical hurdles.
In the meantime, two developers took advantage of the void left by AVIM. One created an extension that opens their homepage, from which they served ads alongside a download link for someone else’s desktop-based IME. Another, a self-described cybersecurity practitioner who goes by “domdomrung”, ported several add-ons from Google Chrome to Firefox, including a rudimentary “Vietnamese Input Method” extension. Both authors’ extensions had a blatant SEO character, but that in itself didn’t violate Mozilla’s add-on policies on security and privacy.
In April, domdomrung published a minor update to Vietnamese Input Method that automatically went out to existing users. The previous month, domdomrung had also updated a “SafeKids” extension that ostensibly provided child monitoring functionality. Buried within both updates were five lines of malicious code that logs users’ keystrokes and sends them to domdomrung’s website. Specifically, the code injects a script onto every webpage that logged each keystroke on any webpage to local storage. Every 3.6 seconds or upon pressing the Enter or Return key, if at least five characters had been typed, the script loads a tracking pixel from domdomrung’s domain, blog.mybloggertricks.org, using an Image constructor.
The putative image’s URL includes the typed characters and the current webpage’s URL. The resource at this URL is not an image but rather an HTML document that redirects to Google. Nonetheless, like any tracking pixel, merely accessing the URL is enough to populate the server logs with the payload. In this case, the payload includes a full browsing history and is very likely to include user names and passwords.
Surprise
Mozilla’s add-on policy requires every add-on to “disclose how the add-on collects, uses, stores and shares user data in the privacy policy” and “expects that the add-on limits data collection whenever possible”. Vietnamese Input Method had no privacy policy. Collecting keystrokes in this way provides no obvious user benefit. It’s impossible to know what domdomrung is doing with the data, but it isn’t difficult to imagine the data being used for nefarious purposes. (Some popular input method extensions do send keystrokes to a server but justify it as a necessary step for predictive suggestions. Such extensions do raise security and privacy concerns but are not necessarily malicious.)
Meanwhile, SafeKids has a bilingual privacy policy that attempts to justify keylogging as a legitimate function that gives parents control over their children’s browsing behavior. Parenting questions aside, it’s worth noting that only the English portion of the privacy policy says, “I and mozilla cant not view your log” [sic]. That statement can’t not be true, given how the extension phones home with browsing histories and keystrokes. Similar language is nowhere to be found in the Vietnamese portion of the privacy policy. I suspect domdomrung used this statement to deceive Mozilla Add-ons reviewers who speak English but not Vietnamese. It worked.
A bug in SafeKids makes it possible to identify at least two victims of this extension. The add-on aggressively added the keylogging script to every HTML document, failing to distinguish ordinary webpages from HTML documents serving as rich text editors, which are popular on forums. As a result, the malicious code is present verbatim in forum posts and elsewhere. Where possible, I have notified these individuals of the need to uninstall the malicious add-ons.
In July, a Firefox user left a review complaining about Vietnamese Input Method’s keylogging behavior. However, the add-on remained available for download. On September 1st, I discovered this add-on and reported it to Mozilla, and they removed it a couple days later. However, they haven’t added it to the blocklist, so users who have installed this extension continue to suffer this breach of privacy. On September 9th, I also reported SafeKids to Mozilla. It remains available for download.
On September 16th, I filed Bugzilla bugs 1,491,716 and 1,491,717 to add Vietnamese Input Method and SafeKids to the blocklist, which will quickly disable any existing installations. I urge Mozilla to act promptly to delete SafeKids and blocklist both add-ons.
Thanks to Mozilla for deleting and blocklisting both add-ons.
Prevention and preemption
This incident underscores the privacy risk posed by keyboarding software and undermines Mozilla’s claim that WebExtensions is inherently more secure than the legacy add-on platform that it replaced. Granted, with WebExtensions, a security vulnerability such as AVIM’s 2009 eval() bug can’t as easily escalate into a full-blown attack on the local machine. Still, as long as an extension has access to the keyboard and the network simultaneously, it’s all too easy for an unscrupulous add-on author to steal personal information en masse. The irony isn’t lost on me that my own subsequent efforts to keep AVIM secure through sandboxing frequently drew scrutiny from reviewers, scrutiny that these add-ons clearly didn’t receive.
Mozilla should audit existing add-ons for undeclared tracking pixel usage and reimpose a human review process for add-on updates, just as there was before WebExtensions. A human review process can help ensure that add-on developers aren’t using “clean” first versions as cover for future malicious updates. As it is, WebExtensions and the Firefox Add-ons website give users a false sense of security.
Beyond additional scrutiny, WebExtensions needs a dedicated, secure input method API. Such an API would isolate input method logic in an environment that lacks access to the network or indeed the rest of the webpage. Network access for predictive input methods could require a separate privilege. Ideally, an input method API would work throughout the browser, including in the search bar, as AVIM does. The lack of this functionality is a frequent complaint among users of Google Chrome’s input method extensions, including Google Input Tools and AVIM “lite”.
There is clearly a need for browser-based input method editors, as seen in the former popularity of AVIM for Firefox and the continuing popularity of input method extensions for Chrome. As Mozilla eliminates what’s left of legacy extensions, users shouldn’t have to forego their privacy in order to communicate in their own language. An add-on platform that facilitates legitimate extensions such as AVIM can keep malicious add-on authors from taking advantage of these users.
TrackBacks
TrackBack URL: <http://panel.1ec5.org/mt/mt-ping.fcgi/1703>
10/04/2018 @ 3:18 PM
akanagin
Reply
Scary. Is unikey.org safe?
10/07/2018 @ 8:33 AM
Minh Nguyễn
Reply
Yes, unikey.org is the official homepage of UniKey. However, note that there are unauthorized mirrors of that site. One of the SEO-style extensions mentioned above redirects to an unauthorized mirror of UniKey.