Christopher Soghoian has disclosed a security vulnerability in the way Firefox add-ons are updated.

The vulnerability affects add-ons that look for updates on web sites that don’t use an encryption mechanism such as SSL as they could be subject to a man-in-the-middle attack, well known technique that may be used on any network connection. In this case, a black hat hacker could sniff network traffic for an add-on update request, fake the update site response and serve whatever malware he may want to the victim computer.

This can’t happen with secure connections because the encryption involves verifying the web server address matches the certificate used to encrypt the connection.

Add-ons updates hosted at Mozilla Add-ons are not susceptible to this weakness as it uses SSL encryption.

Surprisingly some well known and widely used add-ons update on unsecured connections including the Google Toolbar, Yahoo! Toolbar, del.icio.us, Facebook toolbar, Netcraft anti-phishing toolbar, AOL toolbar and many others according to Soghoian’s report.

Providers hosting add-ons updates should use secure connections or just have them hosted by Mozilla Add-on. At the same time, Firefox should only allow updates to occur on secure connections to avoid this thread.

In the meantime you may want to play it safe and restrict your add-ons to those provided by Mozilla Add-ons. Or at least avoid performing add-ons updates while connected to a public network and if you are using a router at home ensure to secure it with a strong administrative password following the instructions in your router’s manual.