Closed
Bug 1304112
Opened 8 years ago
Closed 8 years ago
Insufficient ID checking of add-ons during the signing (and also auto-update) process
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: joshua2014, Unassigned)
Details
Attachments
(1 file)
11.95 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Steps to reproduce: 1. Generate a Firefox extension skeleton with JPM 2. Modify the install.rdf to use <em:id>https-everywhere-eff@eff.org.</em:id> 3. Submit the extension to be signed my Mozilla as an unlisted add-on 4. Download the add-on and verify that <em:id> field is unchanged. Actual results: The extension was signed although there are other extensions with the same ID field. Expected results: Mozilla should refuse to sign the extension. Bug #1303418 is designed to mitigate auto-update attacks but it is not effective as implemented. Additional checking needs to be done during the signing process. https://bugzilla.mozilla.org/show_bug.cgi?id=1303418
Reporter | ||
Updated•8 years ago
|
Summary: Insufficient ID checking of add-ons during the auto-update/signing process → Insufficient ID checking of add-ons during the signing (and also auto-update) process
Comment 1•8 years ago
|
||
I think this is a duplicate. Checking.
status-firefox49:
--- → affected
tracking-firefox49:
--- → +
Updated•8 years ago
|
Group: firefox-core-security → client-services-security
Component: Untriaged → Security
Product: Firefox → addons.mozilla.org
Comment 2•8 years ago
|
||
This isn't a bug in Firefox.
status-firefox49:
affected → ---
tracking-firefox49:
+ → ---
Comment 3•8 years ago
|
||
Your add-on has a period on the end of the ID: https-everywhere-eff@eff.org. vs https-everywhere-eff@eff.org Those are two different add-ons to AMO and (as far as I know) to Firefox. Are you suggesting that Firefox treats them as the same? The add-on manager shows them as two different add-ons. When I try to sign your add-on (with a period on the end): test $ jpm sign --api-key=... --api-secret=... JPM [warning] Using existing install.rdf. This file is usually auto-generated. JPM [warning] Using existing bootstrap.js. This file is usually auto-generated. JPM [info] Created XPI for signing: /var/folders/15/3crpnr7j4sj75xynpsqkqbr00000gp/T/tmp-unsigned-xpi-8934Kk1lh4pRgFNC/https-everywhere-eff@eff.org.-0.0.5.xpi JPM [error] Server response: You do not own this addon. ( status: 403 ) Unless I'm missing something I believe this is all working as intended.
Reporter | ||
Comment 4•8 years ago
|
||
Ah very sorry. I didn't realize that. This should be closed out, sorry for the false alarm :/
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Updated•8 years ago
|
Group: client-services-security
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•