Firefox FormGrabber, IV – Who’s guilty and Conclusion

Who’s guilty ?

Both Firefox and Windows are to blame for.


Firefox simplifies the process of finding the target function PR_Write as it is inside a dll, compromising the security of the web browser.


Windows lets our malicious FormGrabber interfere with the normal Firefox’s workflow without asking any questions. It lets our process execute code within Firefox’s Virtual Address Space and more importantly it lets our malicious process change segments of Firefox code.
Continue reading

Firefox FormGrabber, III – Code Injection

How does it work ?

Proof of concept

The proof of concept is open source and can be found here : It includes instructions on how to run it on your machine.

The POC (Proof of Concept) has been successfully tested on Windows XP SP3, Windows 7 32 bits and Windows 7 64 bits with Firefox 11.0 and 12.0. Nevertheless, it has  failed to work on at least one Windows 7 64 bits computer.

The following image shows an example of network connections created by Firefox when logging in to a Facebook account. The first line represents the encrypted data sent over a secure tunnel between the web browser and (namely HTTPS). The second is a copy of the first but sent in plain text to localhost/postDemo.php. It contains the User’s email and password : “” and “guessMe”.

Firefox Hooked

Facebook HTTPS has been compromised. Users's Email and password are sent in clear text to localhots/postDemo.php

Continue reading

Firefox FormGrabber, II – Definitions and Firefox internals


Almost every sensitive information, such as passwords, login credentials, bank account numbers, credit card numbers, etc, is sent from your web browser when you fill an online “form” to a secure remote sever trough the web standard HTTPS POST.

A form grabber is a malicious code that intercepts POST data coming from web “forms” before the encryption takes place, thus avoiding the added security of the https protocol.

Continue reading

Firefox FormGrabber, I – Introduction


The following series of posts represent the completion of a university research project and a compilation of what has been said at INSA de Lyon the 26 of April 2012. You can  find the slides here. I highly encourage you to read these posts while browsing through the presentation.

I am not responsible whatsoever of the use or misuse of the information hereafter. Be wise.


  • CASTRO Rodrigo
  • COQUET Matthieu
  • SAUVAGNAT Xavier

Continue reading