Open
Bug 1195389
Opened 9 years ago
Updated 2 years ago
Add autoconfig section to about:support
Categories
(Toolkit :: General, defect)
Tracking
()
NEW
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want)
after addon-signing is enforced badware authors will look for other avenues exploiting the browser. i've recently seen evidence that autoconfig is getting used to inject malicious code as well. as we are set up at the moment, this will only be noticed by very advanced users or by chance as it doesn't show in the troubleshooting information or leave any obvious marks when people are looking for support. therefore i want to suggest/request that we add a section that indicates the presence of auto-configuration similar as it was done in bug 557738 for a user.js file.
Reporter | ||
Comment 1•9 years ago
|
||
here is an example of malicious code injected through the autoconfig file: http://www.bleepingcomputer.com/forums/t/571984/ads-by-name/page-3#entry3671244 it would probably be overlooked in support during any normal troubleshooting procedure and naturally survives a refresh of firefox as well...
Updated•9 years ago
|
Group: toolkit-core-security
Comment 3•9 years ago
|
||
Yup, we should add this. Even beyond the example in comment 1 (being handled in bug 1205779) this will be directly analogous to the user.js case and can cause confusion about what the actual config is.
Group: toolkit-core-security
Comment 4•9 years ago
|
||
Florian, you said in the other bug as well that this should be done, do you know who we need to flag to get this implemented or at least considered for the work to be done?
Flags: needinfo?(florian)
Comment 5•9 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #4) > Florian, you said in the other bug as well that this should be done, do you > know who we need to flag to get this implemented or at least considered for > the work to be done? I was considering doing it myself, but it's not near the top of my priorities currently. I don't know who else to ask.
Flags: needinfo?(florian)
Comment 6•9 years ago
|
||
I'll take this. I can work on it in January.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•