Mining All 30,000 Firefox Extensions for Goodies & Baddies

The good, bad and the ugly in 1.2 million public files

Jan 25

The browser is the new hot attack surface, everyone uses one every day, and endusers can install unsanctioned extensions that siphon out all their data willy nilly. A security nightmare! But surely no one would publish malicious browser extensions - and even if they did, Google would make it easy to report them, actions reports and wouldn't slap a "featured" badge on them... right?.

On a random weekend, I decided to mine all ~30,000 Firefox extensions and sift for low hanging fruit. Heads up - I didn't find anything particularly juicy - but to combat publication bias my thought process might be interesting to you or other researchers in the future.

Plugin Composition and Scraping

Firefox plugins come in .xpi files, which are just renamed .zip files. Inside are all the JS/HTML/CSS/static assets and a manifest.json file filled with metadata, requested permissions, when to fire (e.g. only on certain sites) and what assets to load.

There's a frontend firefox extension search that queries a firefox API. Parameter tampering with &page_size=50 (the maximum) and scraping with &page=X field allows us to dump all extension's metadata, including the .xpi file URL. Yucky script: ^[1]. We can then extract the raw CDN .xpi URLs: ^[2]. Allowing us to download^[3] ~30,000 extensions amassing ~20GBs compressed (or ~40GBs uncompressed) from 0_bitches-0.4.xpi through to zxpath-1.0.2.xpi. We can then unzip these to view all the raw files or grab just each extension's manifest.json file: ^[4]. Thus began throwing random libraries, APIs, and FOSS projects to mine for interesting things.

Permhash (Permission hash)

Permhash is a novel way of clustering similar extensions across authors by hashing the list of requested permissions e.g. activeTab or storage that Mandiant used to hunt for and cluster malicious Chrome extensions. Rather than use their Chrome/Android-focused implementation I just hacked together some jq to unpack the manifest.json's and throw them at sha256sum to get my hashes: ^[5]. The top six permission sets (and thus hashes) were: <no permissions declared>, storage, activeTab, activeTab,storage, <empty permission set declared>, tabs; with many smaller (<5) clusters formed which would be useful if a malicious item within the small cluster is located. In the following chart, the bottom right datapoint shows there are 9407 extensions that have a unique permhash (e.g. activeTab, tabs, storage, unlimitedStorage) and the top left shows 6789 extensions that share the same permhash (i.e. per above: <no permissions declared>).

Scatterplot of hash occurrences vs. number of extensions

Virus Scan

Why not run a virus scan on all the unwrapped files? ClamAV whilst not a leading vendor does have a static virus DB that was easy to query. Of 1.2 million files it only flagged the plugins: page_note (since removed) and pagenote as having Html.Exploit.CVE_2014_1800-1 which is an exploit for Internet Explorer 8-11 and not firefox so I deemed them false positives. Scanning the files with Win 11 base Defender turned up nothing either.

YARA Scan

AV scanning relies on entire or portions of files to be a hit, and can gloss over smaller malicious chunks which YARA can process. Throwing YARA over the dataset returned the following rule matches: ^[6]. Manually reviewing results returned more false positives - the only injustices to be found were the plugins with obfuscated code which is against firefox add-on policies.

Malicious URLs

Fine, the files don't contain immediate malware artifacts, what about the URLs the extensions reach out to - are they known-bad? Google provides an API for its' safe browsing DB that tags URLs with indicators such as malware, unwanted software, social engineering etc. Using a gross regex with grep over the files, I had a urls.txt file with which to process through the safe browsing API 500 URLs at a time: ^[7]. 177 hits were returned ^[8] - surely some true positives right? Well the vast majority of hits belonged to ad blocking or safe browsing extensions that simply ship with a static database of known-bad URLs. What remained was reviewed and nothing nasty was found.

Secret Mining

Let's take a break from looking for baddies and look for goodies. Developers make mistakes (or don't know otherwise) and put API keys and other secrets in their code. So I ran local TruffleHog over all 1.2 million files and it found hundreds of API keys for GitHub, GitLab, Gemini etc: ^[9]. Now I'm sure most of these are rotated or expired, but trufflehog also kindly verifies secrets are up to date as well which gives us 426 valid secrets: ^[10]!

Did You Mean to Distribute that to the World?

Looking at the raw extension files on disk, are there any interesting files / file extensions^[11]? There were some interesting office files (.pptx, .docx, .xlsx) and plenty of 18+ images / audio clips. What I did find was some high schooler's assignment and even a backup of a French business's customer list and invoices (owner was notified).

Other Attempts

Malicious extensions set your new tab page to some crypto miner or adware site right?, what if we just look at extensions with "chrome_url_overrides": {"newtab": "X"} in the manifest.json? Well there's 1224 of them - too many to manually review.
Maybe Chrome has removed a malicious plugin that Firefox had yet to? After investigating - they operate fairly lockstep.
Malicious code and URLs are going to be obfuscated strings constructed at runtime - can we detonate JS in a sandbox or walk through its' execution statically to hook constructed strings? An attempt was made to do that with tools such as traverseJS but there are so many means of constructing strings, and often many preconditions to code execution that whilst I think there's promise to the idea - was not one I wanted to sink time into.

Closing

Did I find any malicious plugins? No. Do I think there's dozens of malicious plugins that I failed to find? Yes. Did I amass a cool dataset for future work? Yes. Did I have fun finding secrets and business documents? Yes. And finally, do I believe in publishing failed research? Yes. :)

[1]

for i in $(seq 600 -1 0); do
    echo "$i ";
    sleep 2
    curl "https://addons.mozilla.org/api/v5/addons/search/?app=firefox&appversion=120.0&sort=updated&type=extension&lang=en-US&page_size=50&page=$i" --compressed -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-Country-Code: AU' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -o "searchPageResults/$i.json"
done

[3]

while read line; do
    echo "$line"
    sleep 1.1
    curl "$line" -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: none' -H 'Sec-Fetch-User: ?1' -o "extensions/${line##*/}"
done < extensionURLs.txt

[5]

for file in manifests/*.json; do jq -rj '"\(.name)"' $file | tr -d '|' && jq -rj '"|\(.version)|"' $file && echo -n "${file##*/}|" && jq -rj '"\(.permissions | join(""))"' $file 2> /dev/null | sha256sum | cut -d ' ' -f 1 | tr -d '\n' && echo -n "|" && jq -rj '"\(.permissions | join(""))"' $file 2> /dev/null; echo; done | tee -a permhashes.txt

[6]

29064 Big_Numbers1
  10025 possible_includes_base64_packed_functions
   2196 IsSuspicious
   2077 Big_Numbers0
   1844 BASE64_table
    642 Big_Numbers3
    462 spyeye_plugins
    388 powershell
    357 vmdetect
    185 Big_Numbers5
    119 Big_Numbers2
     99 possible_exploit
     97 Big_Numbers4
     81 Cerberus
     54 without_attachments
     49 with_urls
     49 PM_Zip_with_js
     48 WarpStrings
     48 Warp
     43 network_dyndns
     34 without_images
     34 spyeye
     28 network_tcp_listen
     28 Chacha_256_constant
     26 generic_javascript_obfuscation
     25 CRC32_poly_Constant
     23 with_images
     19 ScarhiknStrings
     19 Scarhikn
     19 ppaction
     19 memory_shylock
     19 ldpreload
     19 CRC32_table
     16 SHA2_BLAKE2_IVs
     16 maldoc_indirect_function_call_3
     15 Borland
     12 invalid_trailer_structure
     12 blackhole_basic
     10 Str_Win32_Internet_API
     10 spreading_file
      9 with_sqlite
      9 SurtrStrings
      9 Surtr
      9 maldoc_getEIP_method_1
      8 without_urls
      8 Email_Generic_Phishing
      6 SHA3_constants
      5 SHA512_Constants
      5 CRC32c_poly_Constant
      4 function_through_object
      4 CRC16_table
      3 SHA1_Constants
      3 RIPEMD160_Constants
      3 RijnDael_AES_CHAR
      3 php_malfunctions
      3 multiple_versions
      3 invalid_xref_numbers
      3 Chacha_128_constant
      3 Bolonyokte
      2 WHIRLPOOL_Constants
      2 vmdetect_misc
      2 RijnDael_AES
      2 r57shell_php_php
      2 PoetRat_Python
      2 lookupip
      2 IronTiger_ASPXSpy
      2 inject_thread
      1 with_attachment
      1 Str_Win32_Winsock2_Library
      1 SipHash_big_endian_constants
      1 php_uname
      1 network_tcp_socket
      1 NETexecutableMicrosoft
      1 NET_executable_
      1 NET_executable
      1 MoleBoxv20
      1 Microsoft_Visual_Studio_NET_additional
      1 Microsoft_Visual_Studio_NET
      1 Microsoft_Visual_C_v70_Basic_NET_additional
      1 Microsoft_Visual_C_v70_Basic_NET
      1 Microsoft_Visual_C_Basic_NET
      1 maldoc_indirect_function_call_1
      1 JavaDeploymentToolkit
      1 IsWindowsGUI
      1 IsPE32
      1 IsNET_EXE
      1 HasOverlay
      1 HasDigitalSignature
      1 HasDebugData
      1 HackTool_Samples
      1 ecc_order
      1 DebuggerException__SetConsoleCtrl
      1 CRC32b_poly_Constant
      1 BLOWFISH_Constants
      1 APT1_WEBC2_Y21K
      1 antisb_threatExpert

[7]

``` batch_counter=1

process_batch() { local batch_data=$(awk "NR >= $1 && NR <= $2" urls.txt | awk '{printf "{\"url\":\"%s\"},", $0}' | sed 's/,$//') #echo $batch_data local request_data="{\"client\": {\"clientId\": \"FirefoxPluginInvestigate\", \"clientVersion\": \"1.0.0\"}, \"threatInfo\": {\"threatTypes\": [\"THREAT_TYPE_UNSPECIFIED\", \"MALWARE\", \"SOCIAL_ENGINEERING\", \"UNWANTED_SOFTWARE\", \"POTENTIALLY_HARMFUL_APPLICATION\"], \"platformTypes\": [\"ANY_PLATFORM\"], \"threatEntryTypes\": [\"URL\"], \"threatEntries\": [ $batch_data ]}}" curl -s "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=APIKEY" -H "Content-Type: application/json" --data "$request_data" >> safebrowsing.json echo $batch_data | tr , "\n" | tail -n 1 }

for ((start=1; start<=$(wc -l < urls.txt); start+=500)); do end=$((start+500-1))

# Process the batch and increment the batch counter
process_batch "$start" "$end"
((batch_counter++))

done ```

[8]

570 extensions/safe_browsing-1.5.xpi
     18 extensions/touch_vpn-5.0.18.xpi
     18 extensions/natt_adblocker-3.0.0.xpi
     17 extensions/ytadblock-19.1008.3593.0.xpi
     16 extensions/adequa_mozilla-0.1.8.xpi
     16 extensions/adblocker_lite_firefox-0.4.3.xpi
     14 extensions/qwantcom_for_firefox-7.0.4.9.xpi
     12 extensions/midori_pmprivacy-1.0.0.2.xpi
      9 extensions/nomoreads_privacy_ad_blocker-1.0.5.xpi
      8 extensions/porn_blocker_cyberpurify-0.6.2.xpi
      8 extensions/auvitas-1.0.0.xpi
      8 extensions/adguard_adblocker-4.2.228.xpi
      7 extensions/zeroads-2.0.2.xpi
      7 extensions/ublock_origin_lite-2023.12.16.1327.xpi
      7 extensions/lastads_remove_ads_popups_more-1.0.0.1.xpi
      7 extensions/bamboo_blocker-0.0.0.2.xpi
      7 extensions/adzero_adblocker-23.210.4532.4.xpi
      6 extensions/t3_data4me-0.0.8.xpi
      6 extensions/qui_quo-1.26.7.xpi
      5 extensions/dms_deploy_utilities-0.0.1.3.xpi
      5 extensions/24infonews-1.1.7.xpi
      3 extensions/stumbleuponawesome-1.2.2.xpi
      3 extensions/radio_player_browser-0.1.2.xpi
      3 extensions/mandiant_advantage-2.6.1.xpi
      3 extensions/dertin-2.0.0.xpi
      2 extensions/wypl-2.0.4.xpi
      2 extensions/revoke_cash-0.5.9.xpi
      2 extensions/nervenschoner-1.3.xpi
      2 extensions/cryptkeeper-0.5.3.xpi
      2 extensions/browser_jsguard-4.0.2.xpi
      2 extensions/blockwallet-1.2.2.xpi
      2 extensions/appradio_pro-1.3.xpi
      2 extensions/adblocker_ultimate-3.8.14.xpi
      2 extensions/ad_blocker_genius_pro-10.0.0.xpi
      2 extensions/ad_aware_ad_block-3.0.0.xpi
      1 extensions/ubypass-1.5.1.xpi
      1 extensions/tt7753bang-2.6.xpi
      1 extensions/tgfixer-1.2.1.xpi
      1 extensions/speed_test_internet_download-1.0.1.xpi
      1 extensions/saifu_solana_wallet-1.5.0.xpi
      1 extensions/saifu_crypto_wallet-1.4.1.xpi
      1 extensions/nuh_uhh_p0rn_blocker-1.4.xpi
      1 extensions/nightly_app-0.2.7.xpi
      1 extensions/maskbook-2.11.4.xpi
      1 extensions/lootrush_wallet-10.30.30.xpi
      1 extensions/lite_netfilter-1.0.5.xpi
      1 extensions/kiay_shortener-1.0.0.xpi
      1 extensions/flatphpmyadmin-0.9.xpi
      1 extensions/finx-0.3.1.xpi
      1 extensions/devtools_prototyper-5.0a1.xpi
      1 extensions/crossmark-0.2.12.xpi
      1 extensions/bang_search_for_google-1.0.0.xpi
      1 extensions/bang-1.1.xpi

[9]

4760 PaypalOauth
   2102 YoutubeApiKey
   1855 Github
   1308 Gitlab
    990 AmplitudeApiKey
    724 EtsyApiKey
    342 Nethunt
    296 Infura
    296 Hunter
    286 Privacy
    260 EightxEight
    255 Circle
    184 Atera
    184 Aiven
    183 Gemini
    168 ZendeskApi
    159 Signable
    149 FastlyPersonalToken
    148 DatadogToken
    143 PrivateKey
    127 Twitch
    122 URI
    111 ExchangeRateAPI
    108 RingCentral
    105 Polygon
    100 Netlify
     98 SQLServer
     84 Getresponse
     76 VirusTotal
     67 CustomerIO
     59 HubSpotApiKey
     53 Swell
     53 GitHubOauth2
     50 DigitalOceanToken
     45 Pepipost
     37 Heroku
     36 Etherscan
     32 TomorrowIO
     29 Parseur
     25 SlackWebhook
     25 Host
     24 Agora
     23 Nytimes
     22 UnifyID
     22 Pixabay
     22 AirtableApiKey
     21 Tefter
     21 Coinbase
     20 Refiner
     20 NpmToken
     20 AWS
     19 Yandex
     19 Miro
     18 PubNubSubscriptionKey
     18 AlgoliaAdminKey
     16 CoinMarketCap
     16 Coda
     16 CloudflareApiToken
     15 Rawg
     15 RapidApi
     15 GCP
     14 NexmoApiKey
     13 Fmfw
     13 Audd
     12 Unsplash
     12 Sirv
     12 HelloSign
     11 BscScan
     11 BitLyAccessToken
     10 Uplead
      9 Vercel
      9 OpenAI
      9 LocationIQ
      9 Front
      9 Eventbrite
      9 Aha
      8 Shortcut
      8 OpenWeather
      8 OnWaterIO
      8 Mapquest
      8 Lastfm
      8 FixerIO
      7 SatismeterWritekey
      7 Loggly
      7 Honeycomb
      7 Codacy
      7 Bugherd
      7 Alibaba
      6 Twist
      6 SplunkOberservabilityToken
      6 HereAPI
      6 Flickr
      6 Diffbot
      6 BrowserStack
      6 Blogger
      5 TravisCI
      5 Qase
      5 Mockaroo
      5 Mandrill
      5 IpStack
      5 HuggingFace
      5 Gitter
      5 Geocode
      5 Databox
      4 WalkScore
      4 Urlscan
      4 SentryToken
      4 Newsapi
      4 Mite
      4 Intercom
      4 AzureStorage
      4 Alegra
      3 Yelp
      3 Websitepulse
      3 TicketMaster
      3 Stripe
      3 ShodanKey
      3 ScraperAPI
      3 Onesignal
      3 Nitro
      3 Metrilo
      3 LinkPreview
      3 LDAP
      3 Kylas
      3 IPGeolocation
      3 Guardianapi
      3 GTMetrix
      3 FXMarket
      3 FlatIO
      3 DetectLanguage
      3 ConvertApi
      3 ContentfulPersonalAccessToken
      3 Accuweather
      2 VisualCrossing
      2 Typeform
      2 TatumIO
      2 SendinBlueV2
      2 Scalr
      2 Rebrandly
      2 PubNubPublishKey
      2 OpenCageData
      2 Notion
      2 MaxMindLicense
      2 Mailgun
      2 LogzIO
      2 Lexigram
      2 Juro
      2 Imagga
      2 FTP
      2 FormBucket
      2 Ethplorer
      2 BlockNative
      2 Apilayer
      1 Whoxy
      1 WeatherStack
      1 Vpnapi
      1 TrelloApiKey
      1 TestingBot
      1 Slack
      1 ScrapingBee
      1 Roaring
      1 Reachmail
      1 PivotalTracker
      1 Owlbot
      1 Opsgenie
      1 NewRelicPersonalApiKey
      1 MyIntervals
      1 Moonclerk
      1 MailJetSMS
      1 Magnetic
      1 IPinfoDB
      1 Ipapi
      1 Geoapify
      1 Findl
      1 FacebookOAuth
      1 ExchangeRatesAPI
      1 Enigma
      1 DeepAI
      1 CloudflareCaKey
      1 Clarifai
      1 Chatbot
      1 AsanaOauth
      1 Artsy
      1 AirbrakeProjectKey

[10]

235 Infura
     23 SlackWebhook
     16 GitHubOauth2
     15 GCP
     14 Etherscan
     11 BscScan
     10 Unsplash
      8 OpenWeather
      7 Mapquest
      7 Alibaba
      5 OpenAI
      4 SentryToken
      4 LocationIQ
      4 Intercom
      4 Flickr
      4 CoinMarketCap
      4 AWS
      3 URI
      3 TicketMaster
      3 Diffbot
      3 ContentfulPersonalAccessToken
      2 YoutubeApiKey
      2 Twitch
      2 ShodanKey
      2 SendinBlueV2
      2 PubNubPublishKey
      2 OpenCageData
      2 Notion
      2 Lastfm
      2 IpStack
      2 IPGeolocation
      2 HuggingFace
      2 Github
      2 Ethplorer
      2 ConvertApi
      2 BlockNative
      2 BitLyAccessToken
      1 Yandex
      1 WeatherStack
      1 PubNubSubscriptionKey
      1 Moonclerk
      1 IPinfoDB
      1 Geoapify
      1 AirbrakeProjectKey

[11]

259826 png
 223171 svg
 196733 js
  98454 json
  53850 html
  52295 css
  30009 sf
  30009 rsa
  30009 mf
  28659 manifest
  28641 sig
  14732 jpg
  13542 map
  12992 woff2
  10255 ttf
   9886 ogg
   9208 woff
   8613 txt
   7876 md
   7517 gif
   6842 ts
   4032 bcmap
   3562 mdx
   3106 LICENSE
   2779 eot
   2647 mp3
   2531 ico
   2472 sample
   2282 scss
   2204 properties
   1580 jsm
   1558 jpeg
   1314 webp
   1159 otf
    946 less
    890 mjs
    536 xml
    490 wav
    478 tsx
    450 bin
    379 gz
    293 yml
    291 wasm
    225 zip
    213 JPG
    213 dll
    191 PNG
    177 psd
    174 jsx
    171 xcf
    <snip>