Background ---------- Firefox is very popular and secure web browser. Until now, it is used by millions of people and thousands of internet clubs. One of the great features of Firefox are extensions. You can use them to create things inside your browser which are beyond your imagination. Overview -------- Every Firefox extensions developer knows the 'hidden' property of 'install manifest'. This property can be used to hide _globally_ installed extensions and it can't hide only local extension (this is a design feature so the extensions installed by users can't be hidden). But it is not known that this can be easily bypassed.. Did you know that you can't trust to what Extensions manager is saying ? For detailed information look at the function 'hide_me()' in file 'src/chrome/content/ffsniff/ffsniffOverlay_orig.js' of my PoC. Proof of Concept ---------------- As a PoC I updated my Firefox sniffer extension (FFsniFF) so now it has the ability to hide itself. You can download it here: http://azurit.gigahosting.cz/ffsniff/ The new version (0.2) was tested _only_ with Firefox 2.0 (both linux and Windows). FFsniFF is a simple Firefox extension, which transforms your browser into the html form sniffer. Every time the user click on 'Submit' button, FFsniFF will try to find a non-blank password field in the form. If it's found, entire form (also with URL) is sent to the specified e-mail address. It also has the ability to hide itself from 'Extensions manager'. Solution -------- There's no solution for this problem at this time. azurIt, azurIt@IRCnet, azurit (at) pobox (dot) sk