CVE CyberSecurity Database News

CVE-2023-5725 - How Malicious WebExtensions in Firefox Stole Sensitive Data

Poster -

-----

Summary

In late 2023, a critical vulnerability was discovered in Mozilla's Firefox and Thunderbird browsers, tracked as CVE-2023-5725. If you used Firefox before version 119, or Thunderbird/ESR before 115.4, you could have been at risk. The flaw? Maliciously installed WebExtensions (those browser add-ons or plugins) could open any URL they wanted. In the right hands, this bug could leak sensitive information. Let’s break down what happened, how, and what the exploit looks like.

What Is CVE-2023-5725?

CVE-2023-5725 is a security hole in Firefox (before 119), Firefox ESR (before 115.4), and Thunderbird (before 115.4.1). Malicious WebExtensions could:

Potentially harvest sensitive info

Why is this bad? Many people use Firefox for its privacy features. But if you installed a bad plugin, it could quietly send you to phishing pages, trigger unwanted downloads, or steal cookies/session data.

How the Exploit Occurred

WebExtensions are normally sandboxed—they shouldn't have permission to open arbitrary URLs, especially sensitive ones like local or internal services. Before the fix, a malicious extension could abuse a vulnerability in the extension API.

The Extension uses the browser.windows.create() API (or similar) to open a crafted URL.

3. The browser follows the command and opens the webpage—sometimes even including cookies, tokens, and session data.

The malicious page harvests or transmits the sensitive data back to the attacker.

Mitigation: Upgrading Firefox/Thunderbird closes the hole. Mozilla awarded a security bounty for this discovery.

background.js

// background.js - Malicious part of a WebExtension

// Open a bank login page or internal router page
const url = "https://mybank.com/login?session="; + getSessionToken(); // getSessionToken is just for demo

browser.windows.create({
    url: url, // Any arbitrary, attacker-controlled URL
    type: "popup"
});

// Could also use browser.tabs.create or browser.tabs.update to load URLs in the active session

With this, the Extension could call browser APIs to force-load any address—potentially grabbing cookie/session data if extra steps are performed.

Manifest.json (partial)

{
  "manifest_version": 2,
  "name": "Evil Extension",
  "version": "1.",
  "permissions": [
    "tabs", "windows"
  ],
  "background": {
    "scripts": ["background.js"]
  }
}

The core mistake: Firefox didn't properly restrict which URLs extensions could open with elevated context.

Send your session or cookies to remote servers

They could mask this behind innocent-seeming extensions: ad blockers, themes, coupon finders, etc.

Want to try safely?

What Versions Are Safe?

Upgrade your software!

Thunderbird: Make sure you’re running at least 115.4.1

You can check your version in Help > About or visit mozilla.org.

References

- Mozilla Security Advisory 2023-49
- NVD Entry
- Red Hat Security

Final Thoughts

Browser extensions are powerful, but also risky. CVE-2023-5725 shows how a single overlooked permission can allow attackers into your personal data. Always:

Stay safe—patch early, patch often!

*This post is exclusive to you—share it wisely!*

Timeline

Published on: 10/25/2023 18:17:44 UTC
Last modified on: 11/02/2023 20:28:43 UTC