Mozilla digital signature verification flaw causes browser extensions fails

Cyber forensics course experts reported a security flaw related to digital signatures in Mozilla that is mainly affecting users of the Tor browser; so far, the company has only mentioned problems with intermediate certificates that have expired.

In recent days, Tor users encountered a popup window in the browser mentioning that one of the extensions was compromised, so it had been disabled. No more details were offered, as the alert only mentioned a “cybersecurity issue”.

When they began investigating the incident, cyber forensics course specialists discovered that the extension in question, NoScript, could not be verified by Tor, despite being an extension accepted by this browser. NoScript is an important security extension in the use of this browser and it is also compatible with other browsers.

This alert triggered doubts about security in the browser, because there was the possibility that threat actors could inject a fake version of NoScript in Tor, or even a critical vulnerability in Firefox, because this supposedly compromised version of the extension was installed without users’ authorization.

Since version 44 of Firefox, launched in the beginning of 2016, Mozilla implemented a policy to stop allowing unsigned browser extensions, so now the company decides which plugins/extensions it allows and which not.

Shortly after the incident was revealed, Mozilla posted via Twitter: “We are investigating a security incident with a certificate that could cause your browser extensions to stop working or not to be installed properly. More details will be published as soon as our investigation is completed”.

Apparently, NoScript digital signature still does not expire, so the problem lies in Mozilla; According to cyber forensics course specialists, Firefox stopped relying on NoScript because of a problem that lies in Mozilla digital signature process, not in browser extensions themselves. In addition, it seems that the flaw affects the digital signature validation for each extension in each version of Firefox.

Experts from the International Institute of Cyber Security (IICS) mention that Mozilla released a temporary patch, although it only works if the user has the feature Mozilla’s Studios activated. The drawback is that this function enables the data collection of the browser, so this is not a functional option for Tor users at all.  

As a workaround, Tor users can temporarily disable xpinstall.signatures.required; this feature must be enabled again once Mozilla launches the official update.