Mozilla Foundation Security Advisory 2015-32

Add-on lightweight theme installation approval bypassed through MITM attack

Announced
March 31, 2015
Reporter
Armin Razmdjou
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 37

Description

Security researcher Armin Razmdjou discovered that a man-in-the-middle (MITM) attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over SSL. Firefox extensions were not directly affected and still required user approval for installation.

References