Christiaan008's video: OHM 2013: Abusing Exploiting and Pwning with Firefox Add-ons

For more information visit: http://bit.ly/OHM13_web To download the video visit: http://bit.ly/OHM13_down Playlist OHM 2013: http://bit.ly/OHM13_pl Speaker: Ajin Abraham The talk is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 18, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms. I will be explaining the Firefox add-on structure, weakness of Firefox Security model, about how features like XPCOM, XPConnect, technologies like CORS, WebSocket, authenticated Session data saving feature etc. can be abused and exploited by a hacker resulting in data theft and full system compromise. I will also describe an attack scenario of spreading the malicious add-on by different methodologies effectively and will discuss about the mitigation strategies. Finally concludes with how it makes a real threat to security, a challenge for anti-virus vendors and addressing a serious security flaw in the security architecture to Mozilla foundation.