Last July, we pointed out that the Google Reader Notifier extension had turned into crapware, the NoScript add-on was hijacking another extension, and even the Fast Dial extension was spamming you---so it was only a matter of time before an extension came bundled with a full-blown trojan. Last time, it was as simple as spam links showing up in your browser, and tracking the URLs you were going to---really frustrating and evil, but not necessarily the end of the world, since it wasn't going to take over your PC. Yesterday, the Mozilla Add-ons blog reported that two extensions contained nasty trojans that hijacked your PC.
Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
If you've installed those extensions at any point, you should make sure to run a full virus scan on your PC. Rant About Firefox Extension Security Instead of ranting again, let me just quote what I said last time this happened...
What's to stop yet another Firefox extension from turning into badware, sneaking in tracking codes, or stealing your personal information? It's already happened with two of the most popular extensions... Somebody at Mozilla needs to do something about this.
The current process over at Mozilla is to run an automated virus scanner against the extensions, and as a result of this issue they have added more scanning tools to the process. This doesn't solve the real issue, because any virus programmer with some skills can write a customized virus that doesn't get picked up by any of the commercial virus scanning tools. Sure, some of the tools have heuristics that will probably detect rootkits and some of the nastier techniques, but it's not going to prevent the issue entirely. The real problem isn't even a traditional virus, as far as I'm concerned. How difficult would it be for somebody to write a native Firefox extension that simply takes all your passwords and sends them to a rogue site? There's no security layer to prevent add-ons from accessing your personal information stored in the browser, and no virus scanner is going to pick up a native Firefox extension since they are written in Javascript. The Partial Solution Nobody's expecting Mozilla to scan through the source code of every single extension---that's just prone to human error anyway. What would make sense, however, is to have some layers of security that prevent add-ons from accessing any of your personal information stored in the browser unless you specifically allow them to. What Can You Do to Keep Safe? You should always make sure to check the reviews on an extension before you install it---don't just take somebody else's word when they vouch for an extension... make sure to do your due diligence to check things out first. The same thing applies for any application, of course---if you're installing applications without doing a virus scan, you're leaving yourself wide open to having your PC hijacked. Please read: Security Issue on AMO [Mozilla Add-ons Blog]