Firefox OS not secure, invites phishing and malware, says analyst

An analyst Axelle Apvrille from the Fortinet Blog has uncovered the security threats and loopholes in the underlying technology base for Firefox OS. She has developed an application for Firefox called CrackMe and has explored the malware threats and possibilities in the Firefox OS during the development. She says it is very easy in the Firefox OS to introduce malware and phishing.

Firefox OS employs applications which are “packaged applications” that consists of zipped resources or “hosted applications” on the web. In either case, it does not use any executable format which eliminates the need for disassemblers making the job easy for anyone who wishes to read the code and get into its resources and binaries. Furthermore, Firefox OS is based primarily upon HTML and Javascript, it makes the job easy for majority malware authors which use nested HTML documents to hide malicious code in a genuine web page.

Firefox OS

Firefox OS will also support hosted web applications which can do more harm than good. This enables malware authors to employ the phishing which uses a minor and a confusing modification in a web page to redirect the victim to the malicious website instead of the real one. For instance, if a genuine application is hosted at hxxp://facebook.firefox.os.application.com, the malware authors will host it at hxxp://facebook.firefox.os.applications.com with only an extra ‘s’ after application in the URL to differentiate between the real and malicious application. This increases the probability of victims hitting the malicious application every now and then.

Another common method is the use of embedding an executable inside a picture icon or something similar to escape most of the security scans that do not target that file type. The malware author can then run it using a malware Javascript. The biggest loophole so far is not the use of Secure HTTP protocol HTTPS which can bypass spying network sniffers from gaining any inside knowledge, says the blog post on Fortinet Blog. Even Android authenticates the communication with Google Play using the secure server but Firefox completely ditched it.

She concludes that it is disappointing to know that Firefox OS has the worst from the point of view of privacy and security. Mozilla has always laid emphasis on security and privacy, but it seems that in case of Firefox OS, it has preferred to keep it open source by compromising its security.

We will leave the judgment until the Firefox OS becomes mainstream.

Roger Dunning is a technology evangelist. He lives in New York with his wife and pet dog. You can find him 24×7 on the Internet.