Probably no Firefox update security loophole…


Firefox NoScript update notification

Having only just sat at Starbucks to do some programming and cleaning out my desktop (I let far too many files accumulate) I accessed the free WiFi and launched Firefox only to see the above dialog presenting me with a NoScript update. Problem is, I'm connected to the WiFi hotspot but not to the open internet! Spooked out stuff.

In this circumstance I was presented with the above NoScript update notification when I connected to Wireless@SG but before I had entered my login credentials, so it couldn't have requested and received information from Mozilla yet. At least I hope not, for security sake!

The only thing I can think of is Firefox pings for updates while running but doesn't download them, then if the application is relaunched it checks if any extensions have been flagged as outdated and proceeds to download them. I love the word ping.

I suppose in this way it doesn't download updates in the background which may slow a client's machine down… which is already slow from running Firefox, but instead just checks for the existence of updates. I think that's right, is it? Time to dust off my Mozillazine forum account?

Attack vector?

Picture this: say you were a malicious hacker in a public WiFi hotspot and you wanted to allow some remote code execution on some machines for your own mischievous purposes.

When a person connects to a [typical] hotspot they would connect to the WiFi network, then open their browser and use the web based login screen for the hotspot provider to authenticate. The way this works is the remote server or router equipment would automatically redirect all traffic from any specified domain to the login screen.

If you could somehow get access to the router (still too easy to do due to a combination of weak passwords and being in the open) and modify it's DNS settings to point all requests to the login screen except for the URL Firefox (or Chrome, or Opera…) uses to check for updates, could you perform a man-in-the-middle attack and provide a false update flag, followed by a false update executable that could contain your code? People would launch their browsers and not realise they don't have access to yet, so when they're told there's an update they'd go ahead and download it.

I don't know too much about Firefox's internals, probably updates are digitally signed in some way to prevent MITM attacks, at least I hope they are. If they just rely on the URL being well formed and expected, a DNS attack like this could get around it.

Firefox NoScript update notification

Hey wait a minute, its even easier!

viscously bangs head on table!

Stuff all this "accessed the WiFi before they log in" trickery, if you could break into the router and modify DNS you could do that even if they are logged in, and presumably you could do plenty of other more sinister things too.

I find talking about things like this out loud is a really fun and useful thing to do because in explaining my idea I better understand it myself. In this case, how silly my example really was!

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.