Google, Yahoo, Facebook Extensions Put Millions of Firefox Users At Risk
Third party extensions including the widely used toolbars from Google, Yahoo, Ask, Facebook, LinkedIn, as well as social bookmark extension from Del.icio.us and two anti-hacking add-ons, the Netcraft Anti-Phishing Toolbar and the PhishTank SiteChecker all put users at risk of having their browser infected with malicious code.
Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://.
one security extension, the McAfee SiteAdvisor add-on that warns users when they are about to visit a site known to host untrustworthy downloads or malicious code, correctly uses an https:// extension for updates.
UPDATE: Reader Johnny writes in the comments that the SiteAdvisor add-on is actually not safe:
Unlike the research suggests, McAfee SiteAdvisor is actually worse than any of these other major extensions. It periodically downloads completely unauthenticated code from McAfee's server, which it then executes with the same privileges as your browser.
Not only does this backdoor allow McAfee to do whatever they please with your computer, but a hacker can run any malicious code on your system without you ever noticing by simply spoofing the URL http://www.siteadvisor.com/download/safe/safe.js
More on the vulnerability from Ryan Naraine and Brian Krebs.