CVE-2018-5152 in Firefox
Summary
by MITRE
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/11/2023
This vulnerability represents a critical security flaw in Mozilla Firefox's WebExtensions architecture that allows malicious extensions to intercept sensitive user data during the Firefox Accounts authentication process. The issue stems from insufficient sandboxing and permission controls within the browser's extension framework, specifically affecting versions prior to Firefox 60. The vulnerability enables extensions with appropriate permissions to attach content scripts to Mozilla-owned domains such as accounts.firefox.com, creating a dangerous attack surface where user credentials can be compromised during login operations. The flaw specifically leverages the webRequest API which provides extensions with the ability to monitor and intercept network traffic, making it particularly dangerous for authentication processes where sensitive information flows through the network.
The technical implementation of this vulnerability exploits the trust model between Firefox extensions and Mozilla's own services. When users authenticate to Firefox Accounts, their credentials pass through network requests that can be intercepted by malicious extensions. The webRequest API provides extensions with the capability to listen to network traffic, and in this case, the permissions granted to extensions were insufficiently restricted for Mozilla domains. This creates a situation where an extension with legitimate permissions can be abused to monitor and capture user login data, including usernames and encrypted passwords during the authentication process. The vulnerability does not directly expose synchronization traffic or data already synchronized to the account, but rather focuses on the authentication handshake and initial user session data display, making it particularly insidious for credential theft.
The operational impact of this vulnerability extends beyond simple credential theft to potentially enable broader account compromise and user tracking. Attackers could use this vulnerability to establish persistent monitoring of user authentication activities across Mozilla services, potentially enabling credential reuse attacks or session hijacking once initial credentials are obtained. The attack surface is particularly concerning because it targets the authentication process itself, which is the primary security boundary for user accounts. Users who install malicious extensions may unknowingly expose their Firefox Account credentials, and the vulnerability affects all users running Firefox versions less than 60, representing a significant portion of the user base at the time of discovery. This vulnerability demonstrates how extension permission models can be insufficiently designed to protect against cross-domain attacks on trusted domains, creating a pathway for data exfiltration that bypasses normal security boundaries.
Mitigation strategies for this vulnerability involve both immediate user actions and broader architectural improvements. Firefox users should upgrade to version 60 or later where the vulnerability has been patched through enhanced sandboxing controls and stricter permission enforcement for Mozilla domains. The fix implemented by Mozilla likely involved tightening the webRequest API permissions for extensions accessing Mozilla domains and implementing additional checks to prevent content script attachment to sensitive Mozilla services. Security researchers and extension developers should also consider the implications of the webRequest API for cross-domain monitoring, as this vulnerability highlights how legitimate extension functionality can be abused for malicious purposes. Organizations should implement extension vetting processes and consider the potential for privilege escalation when granting permissions to browser extensions, particularly those with network monitoring capabilities. This vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific case of privilege escalation through extension abuse, potentially mapping to ATT&CK technique T1176 (Browser Extensions) and T1071.3 (Application Layer Protocol: Web Protocols) in threat modeling frameworks.