1231582 - Mandatory addon signing would be easy to circumvent

Status: RESOLVED DUPLICATE of bug 1209452

(Toolkit :: Add-ons Manager, defect)

Description

[Sergey Rozhenko]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

The stated goal of requiring addon signing is to avoid malicious extensions (often installed with some software), especially extensions that hide their presence. However, it would be ineffective against the letter. Things a malicious extension would typically do can be done with a GreaseMonkey script and traces can be mostly hidden with a user style.
Here's an example style that hides Stylish and Scriptish (a rarely used GM fork) from addons list and toolbar. Hiding from about:support isn't possible with a style, but that isn't important. Add any malicious script to the mix and you have a hidden malware.
Note: Another possibility is to experiment with -moz-binding in such style. That might give full extension-level control over browser.

@-moz-document url("about:addons") {
  /* Stylish */
  #category-userstyle, .addon[name="Stylish"] {display: none; }
  /* Scriptish */
  #category-userscript, .addon[name="Scriptish"] {display: none; }
}

@-moz-document url("chrome://browser/content/browser.xul") {
  #stylish-toolbar-button, #scriptish-button {display: none; }
}


Actual results:

-


Expected results:

-

Comment 1

[Gingerbread Man]

(In reply to Sergey Rozhenko from comment #0)
> The stated goal of requiring addon signing is to avoid malicious extensions
> (often installed with some software), especially extensions that hide their
> presence. However, it would be ineffective against the letter.

Malicious extensions wouldn't be signed; extensions that aren't signed wouldn't be enabled.

> Here's an example style that hides Stylish and Scriptish (a rarely used GM
> fork) from addons list and toolbar.

Then this is a duplicate of bug 1209452.