Extending good and evil
Looking at all the possible extensions, there is one thing that becomes evident: these extensions are very powerful. Once installed, a Firefox extension has full read and write access to the local file system, to the registry, and to network sockets. Extensions can even start new processes on the local machine. Extensions are platform independent, if implemented correctly by the author, and can therefore read files from a Windows system as well as from a Linux machine. This allows the extension to perform very helpful features (as discussed above), but it can also be misused for evil motives. We have already seen examples like JS.Ffsniff, which attempts to steal passwords and sensitive data from the user. There are also prank applications like OfficePoltergeist, which allows a remote user to take limited control over a machine once it is installed. Did you ever wonder where these pop-ups come from? Maybe you should ask your office-mate. This behavior could easily be extended to build a full remote access Trojan that runs as a browser extension. FTP- and Web servers already exist as legitimate extensions. Such a back door could be dropped by an exploit or a Trojan like Infostealer.Snifula did. As it runs as a browser extension, it would be non-trivial to block it on the desktop firewall. Of course, it would only run while the browser is open, but this is usually a very large window of opportunity.
Does this make Firefox a less safe browser? I don’t think so; similar extensions or plugins are possible for other browsers. Take BHO for Internet Explorer for example, it already happened there a long time ago. A user still has to be tricked into downloading and installing the extension. It’s just that people might install an extension with less precaution in mind, compared to downloading and running an unknown executable.
How do you prevent it from happening to you? Be careful when installing extensions and double check the trustworthiness of the source. Because most Firefox extensions are not signed, this can be a tricky task. If you are in serious doubt, simply check the source code yourself, as the XPI extension files are just .zip archives with the scripts inside. WIth those precautions taken, in the end, nothing disrupts your browsing fun and you can enjoy surfing the Internet as much as possible (as you hopefully do right at this moment).