[Owasp-board] OWASP tied to trojaned Firefox Add-on

Matt Tesauro matt.tesauro at owasp.org
Thu Jul 15 19:21:50 UTC 2010


Additionally, there are these:
https://addons.mozilla.org/en-US/firefox/search/?q=owasp&cat=collections
by random people using the OWASP name.

I remember getting something on the GPC list about a Firefox collection, 
that's why I emailed Paulo.

There's also this post to the phoenix tools list from Adam Muntner:
https://lists.owasp.org/pipermail/owasp-phoenix/2009-June/000090.html

I scanned that collection and the offending plugin isn't there.

I also reached out to the guy who found the trojaned Add-on to see if I 
can get some specifics out of him.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/15/10 2:03 PM, Tom Brennan wrote:
> they are talking about
>
> http://www.owasp.org/index.php/Phoenix/Tools
>
>
> On Thu, Jul 15, 2010 at 2:59 PM, Matt Tesauro<matt.tesauro at owasp.org>  wrote:
>> Paulo,
>>
>> Can you look though your list of people who have started OWASP projects
>> and see if this is an official OWASP project?
>>
>> If so, please reach out to the project leader and let them know about
>> the situation.  Hopefully, they can update their Firefox Add-on
>> collection quickly.
>>
>> Background:
>> http://news.netcraft.com/archives/2010/07/15/firefox-security-test-add-on-was-backdoored.html
>>
>> "I was giving the OWASP Firefox Security Collection a try, installed a
>> bundle of extensions unknown to me ..."
>>
>> Apparently the trojaned Add-on looked for any submitted login
>> credentials and submitted them to a specific IP along with the URL and
>> some other meta-data.
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP Live CD Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list