Install service allows websites to trick users into installing extensions

RESOLVED FIXED

Status

addons.mozilla.org
Security
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Wladimir Palant, Unassigned)

Tracking

({sec-high, wsec-objref})

unspecified
sec-high, wsec-objref
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

2 years ago
I guess that the install service has been forgotten but it is still alive. Consider the following URL: https://addons.mozilla.org/services/install.php?addon_id=preisspion&addon_name=Adblock%20Plus. Any website could redirect to it and claim that Adblock Plus will be installed. The page looks trusted (addons.mozilla.org) and confirms that it will install Adblock Plus. If the user clicks the link he will get the installation prompt without the usual warnings displayed when installing from third parties, yet the extension installed is a completely different one (preisspion in this case, chosen because of low ratings). Displayed add-on name and actual add-on ID can be chosen via URL parameters arbitrarily. It works with reviewed add-ons only however.

Note that this page is supposed to check referrers and allow links from Mozilla properties only. This referrer check is implemented as inline JavaScript however and disabled by CSP.
Nice find, Wladimir.  The referrer check being disabled by CSP is a good catch.

I don't know of a reason to keep this page around.  With add-on signing the functionality we wanted here is pretty much no longer needed.  Can anyone think of a reason to keep this around?
(Reporter)

Comment 3

2 years ago
(In reply to Wil Clouser [:clouserw] from comment #1)
> The referrer check being disabled by CSP is a good catch.

It's not like the referrer check makes it any safer - misusing outgoing.mozilla.org as intermediate step is fairly trivial.
(Reporter)

Comment 4

2 years ago
The above means: CSP actually makes this better. Without CSP the inline script would run and it could start an installation automatically if the referrer has been manipulated (outgoing.mozilla.org requires URLs to be signed but getting the signature for any URL is trivial and it will never expire). The install service is really a security hazard and I'd love to see it removed.

Updated

2 years ago
Flags: sec-bounty?
Moving security bugs to the security component so we can move Administration to the graveyard and we stop getting lots of bug reports that should go on GitHub.
Component: Administration → Add-on Security
(Reporter)

Comment 6

2 years ago
This appears to have been resolved?

Side-note: I came across bug 718448 where I already mentioned abuse potential of the install service, four years ago.

Comment 7

2 years ago
Sorry, yes, this was merged.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

2 years ago
Given that there is no install.php in production any more, this can be public IMHO.
Flags: needinfo?(amuntner)
Keywords: sec-high, wsec-objref
Group: client-services-security
Flags: needinfo?(amuntner)

Updated

2 years ago
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.