1244246 - Sideloaded restartless add-ons can run code even before the user enables them to

Status: RESOLVED WONTFIX

(Toolkit :: Add-ons Manager, defect, P1)

Description

[Dave Townsend [:mossop]]

This is basically the same as bug 560608 but as that has been public for some time I wanted a private version. When we detect a new sideloaded add-on we load its bootstrap script and call its install method. We do this regardless of whether the add-on is compatible with the application, whether it is signed, whatever. This allows a suitably crafted add-on to do various bad things such as the next bug I will file.

We need to move the install call to only happen when the add-on actually gets enabled, which requires us to track whether we've ever called install for the add-on.

Comment 1

[Daniel Veditz [:dveditz] back January 5, 2026]

Is this fixable? presumably our record of whether an add-on is enabled or if we had previously installed it is stored in some profile file that the installer of a side-loaded addon could manipulate. The only way we could prevent this would be to re-check signatures every startup on the hot path rather than on a delay timer. The latter might catch tampering or corruption after the fact and report it to us, but won't prevent active malicious actors.

Comment 2

[Liz Henry (:lizzard) (relman/hg->git project)]

Dave, any further thoughts here? Possibly fixable, or not really actionable without thinking of the various possible evil scenarios of evil and trying to block those?

Comment 3

[Dave Townsend [:mossop]]

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #2)
> Dave, any further thoughts here? Possibly fixable, or not really actionable
> without thinking of the various possible evil scenarios of evil and trying
> to block those?

Dan is right, it will never be completely fixable. I do think there is some basic steps we can take to improve things though. It probably doesn't need to block a release though.

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Came across this during sec triage today. Dave, can you find anyone to take on those basic steps, or do we need to defer that to later?

Comment 5

[Dave Townsend [:mossop]]

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #4)
> Came across this during sec triage today. Dave, can you find anyone to take
> on those basic steps, or do we need to defer that to later?

This problem has been around since Firefox 4 and we haven't seen any abuse of it yet. It would be good to fix but I have no time, maybe Andy has some resources to help.

Comment 6

[Liz Henry (:lizzard) (relman/hg->git project)]

Andy can you help find someone to take this on and investigate? Thanks.

Comment 7

[Andy McKay]

It's a hard problem that's been around for a while, I was going to look at Mossop for some advice on this and a few other related bugs once Tofino has run its course.

Comment 8

[Matt Wobensmith [:mwobensmith][:matt:]]

Hi Andy, since things have changed since June, do you have any new input on this bug?

Comment 9

[Andy McKay]

Not really, there's multiple classes of bugs on this and similar subjects that we have looked at, but haven't approached. For some of these (and this one), the answer probably is the switch to WebExtensions. I did ping Selena in email about these bugs and so I'll do it now in Bugzilla :)

Comment 10

[Selena Deckelmann :selenamarie :selena]

Sorry this feel off my radar. Adding Dan.

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Given comment 9, should we call this WONTFIX?