September 18, 2016
The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.
“This could lead to arbitrary code execution [vulnerability],” Tor officials warned in an advisory. “Moreover, other built-in certificate pinnings are affected as well.”
Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.
The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.