Cyber forensics course experts reported a security flaw related to digital signatures in Mozilla that is mainly affecting users of the Tor browser; so far, the company has only mentioned problems with intermediate certificates that have expired.
In recent days, Tor
users encountered a popup window in the browser mentioning that one of the
extensions was compromised, so it had been disabled. No more details were
offered, as the alert only mentioned a “cybersecurity issue”.
When they began investigating the incident, cyber
forensics course specialists discovered that the extension in question, NoScript,
could not be verified by Tor, despite being an extension accepted by this
browser. NoScript is an important security extension in the use of this browser
and it is also compatible with other browsers.
This alert triggered doubts about security in
the browser, because there was the possibility that threat actors could inject
a fake version of NoScript in Tor, or even a critical vulnerability in Firefox,
because this supposedly compromised version of the extension was installed
without users’ authorization.
Since version 44 of Firefox, launched in the
beginning of 2016, Mozilla implemented a policy to stop allowing unsigned
browser extensions, so now the company decides which plugins/extensions it
allows and which not.
Shortly after the incident was revealed,
Mozilla posted via Twitter: “We are investigating a security incident with
a certificate that could cause your browser extensions to stop working or not
to be installed properly. More details will be published as soon as our
investigation is completed”.
Apparently, NoScript digital signature still
does not expire, so the problem lies in Mozilla; According to cyber forensics
course specialists, Firefox stopped relying on NoScript because of a problem
that lies in Mozilla digital signature process, not in browser extensions
themselves. In addition, it seems that the flaw affects the digital signature
validation for each extension in each version of Firefox.
Experts from the International Institute of
Cyber Security (IICS) mention that Mozilla released a temporary patch, although
it only works if the user has the feature Mozilla’s Studios activated. The
drawback is that this function enables the data collection of the browser, so
this is not a functional option for Tor users at all.
As a workaround, Tor users can temporarily
disable xpinstall.signatures.required; this feature must be enabled again
once Mozilla launches the official update.
