Add-on lightweight theme installation approval bypassed through MITM attack
- March 31, 2015
- Armin Razmdjou
- Fixed in
- Firefox 37
Security researcher Armin Razmdjou discovered that a man-in-the-middle (MITM) attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over SSL. Firefox extensions were not directly affected and still required user approval for installation.