"A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base."
I specifically anticipated that Firefox would be vulnerable to such hijacks when Mozilla introduced their capability to auto-update Firefox.
The only thing I cannot remember is whether I ran like a scalded cat for a different browser when I realised,
or whether I just felt pleased with myself because I had already totally UN-installed Firefox because I had the aggravation of needing to frequently update.
Updates for firefox are prepared by Mozilla's AUS (Automatic Update System) which was/is in the process of being upgraded as of a few months ago. From what I understand, it calls back to the update server to ask if there's anything new going on, and I'm fairly sure that much is hardcoded since it required a bug and patch to change, so I don't see it as being compromisable
Thanks for the link Winapp2, I'm glad to see that Google has responded quickly and decisively to this problem.
Sorry Derek that your topic seem to have gotten derailed after your first post.
I don't mind at all. I think it's more important that people understand the potential vulnerablities in both Chrome and Firefox. I try to never allow any application to automatically update itself without my knowledge or consent. I've been burned in the past and would prefer to have software that's one or two versions out of date and still working rather than something that is problematic, or worse, riddled with malware.