This Firefox add-on forces other extensions to steal your data

Firefox extensions are exposing millions of users to a new bug capable of stealing sensitive data, it has been claimed.

An attacker can create a malicious add-on for Mozilla's web browser, which can then disguise its nature by forcing a legitimate, existing add-on, to do its dirty work for it, reports Ars Technica.

The flaw, dubbed an extension reuse vulnerability by the researchers who revealed it at the Black Hat security conference in Singapore, is able to do this because Mozilla has not isolated add-ons in its browser.

This means the bug can take advantage of vulnerabilities in other add-ons a user has enabled, and route its attacks through them instead.

These buggy add-ons include NoScript, Video DownloadHelper, FlashGot and Firebug, the researchers wrote in the paper.

The extensions send the user to malicious websites, or force them to download malware.

As quoted by Ars Technica, the researchers said: "These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks.

"Malicious extensions that utilise this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

However, it does rely on a user first downloading the malicious add-on, as well as having buggy extensions already enabled on their browser.

Mozilla admitted to Ars that such a bug would work in its Firefox browser, adding: "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia."