Security researcher Christopher Soghoian points out to a major vulnerability in the third party firefox addons.
A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.
He talks about a scenario where such a compromise can occur
Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers.
However, he emphasizes that the open source/hobbyist extensions hosted on Mozilla servers are safe.
The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.
Till the vendors fix this issue, you are advised to remove all addons from third party sites. Download it from a safe and secure location. Also, avoid any updates in places like wireless cafe, public libraries, etc. Please take this warning seriously and spread the word about the possible vulnerability. It is better to err on the side of caution when it comes to software vulnerabilities.
Twitter tip by Mashable
