The bulk of Firefox extensions -- small plug-ins that add features or functionality and that are almost universally created by volunteer developers or hobbyists -- are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack, Soghoian said. A number of broadly used third-party extensions, however, update from their own unsecured servers.
He listed Google Toolbar, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker among the at-risk add-ons, but he couldn't come up with an exhaustive catalog.
Ironically, some, such as Netcraft's, are designed to protect users against threats. "Users think 'I'm gonna make myself safer' by installing this extension, but they end up putting themselves at risk."
Soghoian recommended that until affected extension vendors release secure updates, users should either remove or disable all Firefox extensions and toolbars that have not been downloaded from the official Mozilla Add-Ons site.
