Closed Bug 1250903 Opened 8 years ago Closed 8 years ago

Install service allows websites to trick users into installing extensions

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: sec-high, wsec-objref) 

I guess that the install service has been forgotten but it is still alive. Consider the following URL: https://addons.mozilla.org/services/install.php?addon_id=preisspion&addon_name=Adblock%20Plus. Any website could redirect to it and claim that Adblock Plus will be installed. The page looks trusted (addons.mozilla.org) and confirms that it will install Adblock Plus. If the user clicks the link he will get the installation prompt without the usual warnings displayed when installing from third parties, yet the extension installed is a completely different one (preisspion in this case, chosen because of low ratings). Displayed add-on name and actual add-on ID can be chosen via URL parameters arbitrarily. It works with reviewed add-ons only however.

Note that this page is supposed to check referrers and allow links from Mozilla properties only. This referrer check is implemented as inline JavaScript however and disabled by CSP.
Nice find, Wladimir.  The referrer check being disabled by CSP is a good catch.

I don't know of a reason to keep this page around.  With add-on signing the functionality we wanted here is pretty much no longer needed.  Can anyone think of a reason to keep this around?
(In reply to Wil Clouser [:clouserw] from comment #1)
> The referrer check being disabled by CSP is a good catch.

It's not like the referrer check makes it any safer - misusing outgoing.mozilla.org as intermediate step is fairly trivial.
The above means: CSP actually makes this better. Without CSP the inline script would run and it could start an installation automatically if the referrer has been manipulated (outgoing.mozilla.org requires URLs to be signed but getting the signature for any URL is trivial and it will never expire). The install service is really a security hazard and I'd love to see it removed.
Flags: sec-bounty?
Moving security bugs to the security component so we can move Administration to the graveyard and we stop getting lots of bug reports that should go on GitHub.
Component: Administration → Add-on Security
This appears to have been resolved?

Side-note: I came across bug 718448 where I already mentioned abuse potential of the install service, four years ago.
Sorry, yes, this was merged.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Given that there is no install.php in production any more, this can be public IMHO.
Flags: needinfo?(amuntner)
Group: client-services-security
Flags: needinfo?(amuntner)
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.