Closed Bug 1102243 Opened 11 years ago Closed 11 years ago

Leethax.net exploits security hole to allow sandbox security violation

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: erisonstb, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 Steps to reproduce: The extension Leethax (http://leethax.net/extension/) allows changing the url to get the Flash file, so a hacked version of the game is loaded instead of the actual one. It somehow replaces the url that is allowed to be fetched. This extension can be used to cheat in many different Facebook/web games. You can see the full list in their website with over 10 games. This hack has been known for about 2 years. If trying to access the address http://https.d3t8o3t65sk1l3.cloudfront.net.proxy.leethax.net:8002/flash/AngryBirdsFacebook-aa8226f0e5498d9ab8c97aefa3ebe26e9520da89.swf without the plugin, a security sandbox violation occurs. But when using the plugin, the sandbox violation doesn't occur. Actual results: When using the plugin, the sandbox violation doesn't occur, allowing the hacked Flash files to be loaded from a different unauthorised domain, not specified in crossdomain.xml. Expected results: The browser shouldn't allow the file to be loaded from an unauthorised domain that is not specified in the crossdomain.xml. It should only allow allows access from d3t8o3t65sk1l3.cloudfront.net. In this case the expected results is that the browser throws a Security Sandbox Violation error and the hacked file from the domain fails to load.
The actual URL of the game is https://apps.facebook.com/angrybirds/. You can follow the URL loading using the developer console. Thanks!
Add-ons are capable of blocking or replacing any content being loaded on a webpage. This is a desirable feature, certainly for users who install the add-on intentionally. I'm not sure if there's a bug here. I'm moving this to the Plugins component, since I'm not sure if there are any security implications to what this add-on is doing and it sounds like the issue would happen in the interaction between Firefox and the Flash plugin.
Group: client-services-security → core-security
Component: Add-on Security → Plug-ins
Product: addons.mozilla.org → Core
Flash triggers the "sandbox security violation" and also handles validation of CORS requests using crossdomain.xml. How is this related to the browser sandbox?
Exactly which version of Firefox are you testing with? Current mozilla-central (aka trunk) nightlies (on the 36 branch) default to running most UI code in a separate "content process". We call this e10s mode. And, on the Mac, the content process is currently sandboxed using an "empty" ruleset (one that allows all accesses). See bug 1076385.
The sandbox message is a flash complaint about a same-origin (or crossdomain.xml) violation, nothing to do with the Firefox sandbox we're building. Unfortunately if people install a cheat then it's "working as designed" when the cheating occurs. The game designer (or flash) will have to come up with some kind of better integrity checks.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.