Endpoint Vulnerability

Add-on lightweight theme installation approval bypassed through MITM attack

Description

Security researcher Armin Razmdjou discovered that a man-in-the-middle (MITM) attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over SSL. Firefox extensions were not directly affected and still required user approval for installation.

Affected Products

Firefox

References

CVE-2015-0812,