CVE CyberSecurity Database News

CVE-2022-26387 - How Add-ons in Old Firefox Could’ve Opened the Door to Hackers

Poster -

In March 2022, Mozilla patched a concerning vulnerability—CVE-2022-26387—that exposed users of Firefox, Firefox ESR, and Thunderbird to a sneaky attack. Even careful users who checked add-on details before clicking "Add" could have been at risk, all because of the way signature checks and user prompts interacted. Let’s break down what happened, how it worked, and what you can learn from a bug that seemed minor, but could cause big trouble.

What Went Wrong in "Secure" Add-on Installation

Let’s say you want a new add-on for your browser. Firefox, like many modern browsers, protects you by checking an add-on’s signature—basically a cryptographic guarantee that the file hasn’t been secretly changed. If the signature is legit, you get the permission prompt, like this:

This add-on will have permission to:
- Access your data for all websites
- Read and modify bookmarks
...
[Add]  [Cancel]

Seems safe, right? Here’s the catch: in vulnerable versions, Firefox did the signature check before showing you that prompt—and never checked it again, even though installation didn’t happen until you clicked "Add".

In that window of time (which, for some people, could be seconds or even minutes), something could swap out the add-on file, replacing it with a malicious version. If that happened, Firefox would install the trojanized file—no further checks.

What Could an Attacker Do?

If an attacker could tamper with the extension package file after the initial signature check, but before the user clicked "Add", they could:

Replace it with a malware-laden version, bypassing all signature protections.

- Gain the same access the original add-on requested—all while the user believed they were installing the safe version.

Firefox downloads good-addon.xpi, checks the signature—looks fine.

3. The “Confirm Permissions” prompt pops up. _User takes a sip of coffee, maybe looks up the add-on details._
4. Meanwhile, a local attacker or compromised process quietly replaces good-addon.xpi in the download location with evil-addon.xpi.

Let’s illustrate using naive Python code to swap a downloaded file during “user pause”

import time
import shutil
import os

# Scenario: The original file is downloaded, Firefox has verified it, but waiting for user confirmation.

# Paths to simulate
downloaded_addon = './firefox_profile/extensions/good-addon.xpi'
malicious_addon = './attacker/evil-addon.xpi'

print('User downloads and prompts open. Waiting for opportunity...')

# Wait to simulate user reading prompt
time.sleep(7)

# Attack swaps out file
shutil.copyfile(malicious_addon, downloaded_addon)
print('Malicious add-on swapped in during confirmation dialog!')

# Later, user clicks 'Add', and the malicious add-on gets installed

This is just to show timing; real exploits would require access or control, but it illustrates the underlying flaw.

The Fix: Double-Checking

Mozilla’s fix was simple and effective: verify the add-on’s signature again right before actual installation, _after_ the user confirms the prompt. Any modification in the meantime? The install is blocked.

See the Mozilla bug report:  
https://bugzilla.mozilla.org/show_bug.cgi?id=1756526

Credits and References

- CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-26387
- Mozilla Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/

Don’t leave install prompts hanging open—attack windows matter!

And for developers: Always verify what you actually install.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 16:04:00 UTC