Firefox is widely regarded as a very secure web browser, and that’s a reputation that Mozilla has worked tirelessly to build over the past eight years — blacklisting extensions, shutting down insecure plug-ins, revoking certificates, and patching holes as quickly as they appear. But even Firefox has some lingering security issues. One of those is the ease with which a third-party application can sneak unwanted (and potentially malicious) extensions into a user’s profile.Researchers at Zscaler have shared a demo that shows just how easy it can be. All an application has to do is to inject a few bits into the Firefox extensions.SQLite database. Normally Firefox checks to see if any extensions have been added from one launch to the next and users are shown an alert if a previously unknown extension is found. The injection neutralizes that check. By flipping the correct values, Firefox can be tricked into thinking that the extension has already been given the green light by a user.That enables a third-party software installer to sneak in something like a moneymaking toolbar or search extension. Those, of course, are comparatively benign examples. It would be just as easy to activate something more malicious — such as a keylogger or a password stealer — without a user ever being alerted.It’s also possible to append malicious code to an existing extension instead of adding a new one. That would keep the malware from showing up in the Add-ons Manager, so even users who are vigilant enough to manually inspect the list from time to time would be none the wiser.What’s the solution? Perhaps it would be a good idea to follow Google’s lead and draw a line in the sand. As of Chrome 25, silent extension installs will be disabled by default and the prompts have been set up in such a way that most users won’t re-enable the offenders.