Firefox and Tor Vulnerable to Man-in-the-Middle (MitM) Attacks

A critical vulnerability in Mozilla's Firefox browser allows "powerful adversaries" to launch human-in-the-middle (MitM) attacks. The flaw related to certificate pinning also affects the Tor Browser.

Firefox and Tor Browser susceptible to MitM attacks

Fully patched versions of Mozilla Firefox browsers carry a critical vulnerability. The flaw tin can be used by well-resourced threat actors to compromise systems of Firefox and Tor browser users using MitM attacks and malicious add-ons. While Mozilla nonetheless has to patch the problems, Tor Project has issued the patch with the release of Tor Browser version 6.0.5.

The vulnerability stems from Firefox's use of add-ons. The browser automatically updates installed add together-ons every 24 hours and uses certificate pinning to prevent MitM attacks. However, thank you to a flaw in its own process has turned this pinning for add-on updates ineffective since the launch of Firefox 48 on September ten and Firefox ESR 45.3.0 on September 3. The vulnerability could potentially allow a state-level attacker to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers. This MitM attacker can get a certificate by hacking or tricking a certificate authority (CA). Leveraging these, they tin can deliver malicious updates for installed Firefox extensions to launch malware.

It should be noted that it's extremely challenging to become fraudulent certificates from Firefox-trusted certificate authorities (CAs). However, information technology is definitely possible for a sophisticated threat actor, such as a criminal organization or a nation-state.

Tor specially vulnerable

Every bit Tor Browser is based on Firefox, this vulnerability besides works on the anonymity network. According to researchers, Tor is particularly vulnerable as the browser comes pre-installed with HTTPS Everywhere and NoScript add-ons.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla'due south servers and to evangelize a malicious extension update, eastward.g. for NoScript. This could lead to capricious lawmaking execution. Moreover, other built-in document pinnings are affected as well. Obtaining such a certificate is not an easy job, merely it'south within reach of powerful adversaries (e.k. nation states). - Tor

Security researcher,movrcx, who is responsible for bringing this upshot forward, said that it would cost an attacker nearly $100,000 to launch these types of mass attacks confronting users. The assail scenario wasn't approved by the Tor Project at starting time. Later on, contained researcher Ryan Duff confirmed that the attack indeed worked against both the browsers. Following this, the Tor Projection addressed the vulnerability and released a patched version.

Firefox has confirmed that they "are not presently enlightened of any evidence that such malicious certificates exist in the wild and obtaining 1 would require hacking or compelling a Certificate Authority." The company is expected to release a patch tomorrow on September twenty. In the meanwhile, users can disable automatic add-on updates to avoid any possibilities.