http://daryl.learnhouston.com/2005/02/22/prawnography-and-firefox-exploitability/ Thu, 20 Nov 2008 09:15:11 +0000 http://wordpress.org/?v=2.6.2 http://daryl.learnhouston.com/2005/02/22/prawnography-and-firefox-exploitability/#comment-1523 Kevin Wed, 31 Dec 1969 16:00:00 +0000 #comment-1523 This smells fishy to me. This smells fishy to me.

]]> http://daryl.learnhouston.com/2005/02/22/prawnography-and-firefox-exploitability/#comment-1528 Jason McKnight Wed, 31 Dec 1969 16:00:00 +0000 #comment-1528 u suck! u suck!

]]> http://daryl.learnhouston.com/2005/02/22/prawnography-and-firefox-exploitability/#comment-1537 Two Ells » A Simple Firefox Extension Build Script Wed, 31 Dec 1969 16:00:00 +0000 #comment-1537 [...] 9 am I’ve been working on building some extensions for Firefox, including my prawn doohickey and, starting today, something for work. When you build an extension, you have to follow a g [...] [...] 9 am I’ve been working on building some extensions for Firefox, including my prawn doohickey and, starting today, something for work. When you build an extension, you have to follow a g [...]

]]> http://daryl.learnhouston.com/2005/02/22/prawnography-and-firefox-exploitability/#comment-1713 Daryl’s Flock Blog » Extend Wed, 31 Dec 1969 16:00:00 +0000 #comment-1713 [...] Over a year ago, I blogged about a major but necessary flaw in the Firefox extensions framework that makes is possible for extensions authors to write extensions that appear to be nice but that can morph over time into malicious extensions. All it takes is writing an extension that makes an XMLHttpRequest call to a remote server and evaluates the javascript string returned. Say I write an extension with broad appeal, and it makes such a call, and during the first week of deployment, the javascript returned by the server does useful and expected and non-malicious things. But after a week of gathering users, say I change the javascript returned by the server so that it reads your cookies and sends them to me or performs some other potentially nasty tasks. This is entirely possible, and it’s long fueled wariness on my part about installing extensions. The browser tells you only to install trusted extensions, but how many of us have even noticed that warning, much less paid it very much attention? [...] [...] Over a year ago, I blogged about a major but necessary flaw in the Firefox extensions framework that makes is possible for extensions authors to write extensions that appear to be nice but that can morph over time into malicious extensions. All it takes is writing an extension that makes an XMLHttpRequest call to a remote server and evaluates the javascript string returned. Say I write an extension with broad appeal, and it makes such a call, and during the first week of deployment, the javascript returned by the server does useful and expected and non-malicious things. But after a week of gathering users, say I change the javascript returned by the server so that it reads your cookies and sends them to me or performs some other potentially nasty tasks. This is entirely possible, and it’s long fueled wariness on my part about installing extensions. The browser tells you only to install trusted extensions, but how many of us have even noticed that warning, much less paid it very much attention? [...]

]]>