Security researchers have warned that hundreds of popular extensions for the Firefox browser have exposed millions of users to hack attacks.

Researchers from the Northeastern University in Boston discovered a flaw that allows hackers to stealthily execute malicious code hiding behind a seemingly benign extension, such as NoScript and Firebug, and steal data.

The flaw is attributed to a weakness in Firefox’s extension structure, which fails to isolate various browser add-ons. This allows them to connect to the capabilities of other popular third-party extensions.

"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks," the researchers wrote in a paper presented at Singapore’s Black Hat security conference.

Hackers could exploit an extension reuse flaw by developing their own add-ons that hide malicious code and tap into the legitimate functions of popular extensions.

Connecting to other legitimate extensions allows hacker-developed add-ons to bypass Firefox’s security checks and extension vetting processes and gain access to a user's machine.

Extensions in the Firefox browser are handled with elevated user privileges, so the hidden malicious code can be used to steal passwords, private browsing data and system resources.

The more privileges a vulnerable extension has, the more scope a hacker has to gain access to data.

The flaw affects extensions with large user bases, such as DownloadHelper, which has over six million users, and NoScript, which has two million, indicating that the scope of the vulnerability is significant.

It is not clear whether the flaw has actually affected any users, as the researchers demonstrated it only as a proof-of-concept. They have supplied the attack framework to Mozilla so that the firm can improve the way it handles security in reviewing extension approvals.

The flaw is likely to be bypassed when Mozilla moves Firefox to its new WebExtensions model that isolates extensions. The company has given developers 18 months to migrate add-ons to the new model before the old extensions are purged.