SlideShare uma empresa Scribd logo

Sunil-Hacking_firefox

Transferir como PPT, PDF
G
guest66dc5f

This document summarizes how malware can steal sensitive web information by exploiting Firefox vulnerabilities. It discusses how a malicious Firefox extension could intercept HTTP requests, parse them to retrieve usernames, passwords, credit card numbers entered by the user on various websites. The malware would collect these secrets into a list and send this list over the internet. It then describes some ways such a malicious extension could install itself on a victim's Firefox browser without their knowledge, including exploiting other software or extension upgrade vulnerabilities. It warns users to only install extensions from trusted sources and monitor their browser for unusual behavior.

Tecnologia
1 de 19
Hack Firefox to steal web-secrets Sunil Arora
How many of you use Firefox ?
Firefox and extensions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]
Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
[object Object],Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
Malware - Secret Collector - II ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],How to intercept http request “Notifications” mechanism in Firefox ???
Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
Communicator Module Target List Secret List Internet
How it can find its way to john’s Firefox - I ,[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],How it can find its way to john’s FireFox - II
Firefox extension upgrade vulnerability ,[object Object],[object Object],[object Object],[object Object]
Facebook Extension ,[object Object],[object Object],[object Object],[object Object]
Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
Advisory ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank U [email_address]

Recomendados

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202
James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentation
Smart Mirror
 
EC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media ForensicsEC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media Forensics
Sina Manavi
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
Valency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
Nathan Winters
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 

Recomendados

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202
James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentation
Smart Mirror
 
EC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media ForensicsEC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media Forensics
Sina Manavi
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
Valency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
Yhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
Nathan Winters
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virus
HTS Hosting
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course Presentation
Jesse Emerick
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
Abdelhamid Limami
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
Sagilasagi1
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part One
backdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Agnitum Outpost Pro product line
Agnitum Outpost Pro product lineAgnitum Outpost Pro product line
Agnitum Outpost Pro product line
Pavel Fyodorov
 
Internet browser and search engines
Internet browser and search enginesInternet browser and search engines
Internet browser and search engines
Joshua Pasion
 
Control your entire house with your iPhone
Control your entire house with your iPhoneControl your entire house with your iPhone
Control your entire house with your iPhone
guest66dc5f
 
Game
GameGame
Game
rolnick
 
Os Timed Original
Os Timed OriginalOs Timed Original
Os Timed Original
guest66dc5f
 
Awesome car collection
Awesome car collectionAwesome car collection
Awesome car collection
guest66dc5f
 
Freaky car number plates
Freaky car number platesFreaky car number plates
Freaky car number plates
guest66dc5f
 
Prakriti
PrakritiPrakriti
Prakriti
Developer
 
ACAD Basketball leaflet
ACAD Basketball leafletACAD Basketball leaflet
ACAD Basketball leaflet
guest66dc5f
 
Club Sports Leadership Workshop-Constitutions
Club Sports Leadership Workshop-ConstitutionsClub Sports Leadership Workshop-Constitutions
Club Sports Leadership Workshop-Constitutions
Kristen Gleason
 
CMS Basketball Tournament - Concept of Operation - 2014
CMS Basketball Tournament - Concept of Operation - 2014CMS Basketball Tournament - Concept of Operation - 2014
CMS Basketball Tournament - Concept of Operation - 2014
cmstechsvcs
 
Prakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar raoPrakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar rao
eayurveda
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
Peter Wood
 

Mais conteúdo relacionado

Mais procurados

Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course Presentation
Jesse Emerick
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part One
backdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Internet browser and search engines
Internet browser and search enginesInternet browser and search engines
Internet browser and search engines
Joshua Pasion
 

Mais procurados (10)

The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virus
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course Presentation
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part One
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Agnitum Outpost Pro product line
Agnitum Outpost Pro product lineAgnitum Outpost Pro product line
Agnitum Outpost Pro product line
 
Internet browser and search engines
Internet browser and search enginesInternet browser and search engines
Internet browser and search engines
 

Destaque

Control your entire house with your iPhone
Control your entire house with your iPhoneControl your entire house with your iPhone
Control your entire house with your iPhone
guest66dc5f
 
Os Timed Original
Os Timed OriginalOs Timed Original
Os Timed Original
guest66dc5f
 
Awesome car collection
Awesome car collectionAwesome car collection
Awesome car collection
guest66dc5f
 
ACAD Basketball leaflet
ACAD Basketball leafletACAD Basketball leaflet
ACAD Basketball leaflet
guest66dc5f
 
Prakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar raoPrakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar rao
eayurveda
 

Destaque (10)

Control your entire house with your iPhone
Control your entire house with your iPhoneControl your entire house with your iPhone
Control your entire house with your iPhone
 
Game
GameGame
Game
 
Os Timed Original
Os Timed OriginalOs Timed Original
Os Timed Original
 
Awesome car collection
Awesome car collectionAwesome car collection
Awesome car collection
 
Freaky car number plates
Freaky car number platesFreaky car number plates
Freaky car number plates
 
Prakriti
PrakritiPrakriti
Prakriti
 
ACAD Basketball leaflet
ACAD Basketball leafletACAD Basketball leaflet
ACAD Basketball leaflet
 
Club Sports Leadership Workshop-Constitutions
Club Sports Leadership Workshop-ConstitutionsClub Sports Leadership Workshop-Constitutions
Club Sports Leadership Workshop-Constitutions
 
CMS Basketball Tournament - Concept of Operation - 2014
CMS Basketball Tournament - Concept of Operation - 2014CMS Basketball Tournament - Concept of Operation - 2014
CMS Basketball Tournament - Concept of Operation - 2014
 
Prakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar raoPrakriti dr. m. sreedhar rao
Prakriti dr. m. sreedhar rao
 

Semelhante a Sunil-Hacking_firefox

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
STO STRATEGY
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
SC Leung
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 

Semelhante a Sunil-Hacking_firefox (20)

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
File Inclusion.pdf
File Inclusion.pdfFile Inclusion.pdf
File Inclusion.pdf
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Password Attack
Password Attack Password Attack
Password Attack
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 

Mais de guest66dc5f

Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_LawWHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_lawsRohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
guest66dc5f
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
guest66dc5f
 
Varun-Subtle_Security_flaws
Varun-Subtle_Security_flawsVarun-Subtle_Security_flaws
Varun-Subtle_Security_flaws
guest66dc5f
 
longisland_golf_07
longisland_golf_07longisland_golf_07
longisland_golf_07
guest66dc5f
 
GolfLakeCity_002
GolfLakeCity_002GolfLakeCity_002
GolfLakeCity_002
guest66dc5f
 
ACAD Golf Leaflet
ACAD Golf LeafletACAD Golf Leaflet
ACAD Golf Leaflet
guest66dc5f
 
Greg Wells - Golf Warm Up
Greg Wells - Golf Warm UpGreg Wells - Golf Warm Up
Greg Wells - Golf Warm Up
guest66dc5f
 
2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres
guest66dc5f
 

Mais de guest66dc5f (20)

David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_LawWHITEPAPER-7_years_of_Indian_Cyber_Law
WHITEPAPER-7_years_of_Indian_Cyber_Law
 
Rohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_lawsRohas-7_years_of_indian_cyber_laws
Rohas-7_years_of_indian_cyber_laws
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
Varun-Subtle_Security_flaws
Varun-Subtle_Security_flawsVarun-Subtle_Security_flaws
Varun-Subtle_Security_flaws
 
CostofWarinIraq
CostofWarinIraqCostofWarinIraq
CostofWarinIraq
 
NR-golf-sept07
NR-golf-sept07NR-golf-sept07
NR-golf-sept07
 
NR-golf-sept07
NR-golf-sept07NR-golf-sept07
NR-golf-sept07
 
golf
golfgolf
golf
 
longisland_golf_07
longisland_golf_07longisland_golf_07
longisland_golf_07
 
GolfLakeCity_002
GolfLakeCity_002GolfLakeCity_002
GolfLakeCity_002
 
ACAD Golf Leaflet
ACAD Golf LeafletACAD Golf Leaflet
ACAD Golf Leaflet
 
Greg Wells - Golf Warm Up
Greg Wells - Golf Warm UpGreg Wells - Golf Warm Up
Greg Wells - Golf Warm Up
 
2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres2006_Oregon_Golf_Travel_Market_Pres
2006_Oregon_Golf_Travel_Market_Pres
 
Golfphotos
GolfphotosGolfphotos
Golfphotos
 

Último

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Sunil-Hacking_firefox

  • 1. Hack Firefox to steal web-secrets Sunil Arora
  • 2. How many of you use Firefox ?
  • 3.
  • 4.
  • 5. Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
  • 6. John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
  • 7. Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
  • 8.
  • 9.
  • 10. Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
  • 11. Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
  • 12. Communicator Module Target List Secret List Internet
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
  • 18.