Control interface tool experiences security hiccup

A vital security check for a Firefox extension has been reinstated to prevent malicious websites from interacting with a user’s system.

The issue was discovered within Tridactyl – a tool for Firefox that allows users to control command tasks in their browser through keypresses.

Users are advised to update to the patched versions of the extension – 1.16.1 or 1.14.13 – immediately. Versions 1.14.x and 1.15.x are still vulnerable.

Tridactyl has over 5,000 users, according to the Mozilla add-on site, and is modelled on the interface of Vim, the text editor.

“Importantly, it allows you to automate many actions – from open this link in a new tab and open the current page in mpv to shutdown my computer if I visit,” said Oliver Blanthorn, one of the researchers who developed the Tridactyl tool.

Such automated actions, Blanthorn noted in a blog, are ones that “you wouldn’t want any web page you visit to be able to trigger”.

A security property in Tridactyl’s code is meant to tell the interface which commands to trust, further preventing any nefarious websites from sending commands to the user’s browser.

But last month, researchers found that the security property enabling those protections was no longer there – leaving users vulnerable to attacks dating back since September 2018.

“Any website could send keypresses to Tridactyl and Tridactyl would merrily run them as if the user had pressed them,” Blanthorn wrote.

“This is quite terrifying for users who have our native messenger installed which allows you to execute anything you want in your shell; our fear was that, now, any website you visited would have that same pleasure.”