Balazs also tested Sandboxie, a program designed to isolate applications from the operating system by running them inside a sandboxed environment and preventing them from making permanent changes to other programs or data on the computer.
The product's website says that "running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially."
However, that only stops a rogue browser extension within Sandboxie from writing to local storage outside the sandbox. It can still log keystrokes and store them within the sandbox, capture images with the computer's webcam, or steal passwords and authentication cookies stored in the browser, the researcher said.
In general, malicious Firefox extensions can modify the settings of other extensions or the browser itself, but they can also indirectly modify the source files of installed extensions by downloading and executing a piece of malware designed to do this when the browser is closed, Balazs said. (The source files are locked while the browser is running.)
During a presentation Saturday at the Hacker Halted USA 2013 security conference, Balazs demonstrated how malware can insert backdoors into legitimate extensions and the effects this can have on the user's security. For his demonstration he backdoored the LastPass extension for Firefox.
LastPass is a password management service that uses a browser extension to automate form filling and website authentication. This allows users to have strong, separate passwords for all online services they use, while remembering only one master password that unlocks their encrypted password vault.
For increased security, LastPass supports two-factor authentication using the master password and one-time codes generated by physical YubiKey USB authentication devices or mobile applications such as Google Authenticator, Toopher and Duo Security.
LastPass claims on its website that it protects users against phishing scams, online fraud, and malware -- in particular key loggers. However, according to Balazs, the extension can't protect users against malware like financial Trojan programs that hook into the browser process, against other malicious browser extensions, or against local modifications of its own code.
Balazs' demonstration at Hacker Halted showed how a piece of malware could modify the code of the LastPass extension installed in Firefox so that it sends the user's master password and a YubiKey authentication code to an attacker, who could then use the information to access the user's password vault.
He released his proof-of-concept code for backdooring the LastPass extension on GitHub and said that developing it only took two hours.