Thursday, July 15, 2010

OWASP's (non)role in the Backdoored Firefox Addon

You may have recently read about two addons that were removed from the Mozilla addon store. One due to malicious code that would steal passwords and the second due to an escalation vulnerability.

A few people have asked me about a statement that was made indicating that this addon was OWASP approved, or was on an OWASP recommended list.  This confusion seems to stem from the statement posted with this article

Hartmann told Netcraft:
"I was giving the OWASP Firefox Security Collection a try, installed a bundle of extensions unknown to me and started to have a look at a friend's online game from a security point of view. I started Burp Suite Pro in parallel to check what additional help I can get from the extensions, and to watch what they are doing."
OWASP does not actually maintain a Firefox Security Collection. Further investigation shows that the following link most likely explains the perceived relationship to OWASP.

In June of 2009 a post was made to the OWASP Phoenix chapter's local mailing list recommending a collection of Firefox addons. All of OWASP's mailing lists are public and anyone that joins the list can post.  The recommendation to try out this list was not made by OWASP but instead a member of the mailing list looking to help share information that he had found helpful

Later, in June of 2010, the malicious addon made its way into that collection and was ultimately discovered by Johann-Peter Hartmann whereupon it was reported to Mozilla and quickly acted on.

Kudos to Johann for discovering the issue and promptly reporting it for resolution.  Hopefully this clears up the confusion regarding OWASP and the addon.

For any questions regarding the two addons I encourage you to visit the official blog post and respond with comments there

-Michael Coates