Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2015-32

Add-on lightweight theme installation approval bypassed through MITM attack

Announced
March 31, 2015
Reporter
Armin Ebert
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 37

Description

Security researcher Armin Ebert discovered that a man-in-the-middle (MITM) attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over SSL. Firefox extensions were not directly affected and still required user approval for installation.

References