A critical vulnerability in Mozilla's Firefox browser allows "powerful adversaries" to launch man-in-the-middle (MitM) attacks. The flaw related to certificate pinning also affects the Tor Browser.
Firefox and Tor Browser susceptible to MitM attacks
Fully patched versions of Mozilla Firefox browsers carry a critical vulnerability. The flaw can be used by well-resourced threat actors to compromise systems of Firefox and Tor browser users using MitM attacks and malicious add-ons. While Mozilla still has to patch the bug, Tor Project has issued the patch with the release of Tor Browser version 6.0.5.
The vulnerability stems from Firefox's use of add-ons. The browser automatically updates installed add-ons every 24 hours and uses certificate pinning to prevent MitM attacks. However, thanks to a flaw in its own process has turned this pinning for add-on updates ineffective since the launch of Firefox 48 on September 10 and Firefox ESR 45.3.0 on September 3. The vulnerability could potentially allow a state-level attacker to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers. This MitM attacker can get a certificate by hacking or tricking a certificate authority (CA). Leveraging these, they can deliver malicious updates for installed Firefox extensions to launch malware.
It should be noted that it's extremely challenging to get fraudulent certificates from Firefox-trusted certificate authorities (CAs). However, it is definitely possible for a sophisticated threat actor, such as a criminal organization or a nation-state.
Tor particularly vulnerable
As Tor Browser is based on Firefox, this vulnerability also works on the anonymity network. According to researchers, Tor is particularly vulnerable as the browser comes pre-installed with HTTPS Everywhere and NoScript add-ons.
That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states). - Tor
Security researcher, movrcx, who is responsible for bringing this issue forward, said that it would cost an attacker nearly $100,000 to launch these types of mass attacks against users. The attack scenario wasn't approved by the Tor Project at first. Later on, independent researcher Ryan Duff confirmed that the attack indeed worked against both the browsers. Following this, the Tor Project addressed the vulnerability and released a patched version.
Firefox has confirmed that they "are not presently aware of any evidence that such malicious certificates exist in the wild and obtaining one would require hacking or compelling a Certificate Authority." The company is expected to release a patch tomorrow on September 20. In the meanwhile, users can disable automatic add-on updates to avoid any possibilities.
