Created attachment 8792988 [details] hackedbynsalol-0.0.5-fx.xpi User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Steps to reproduce: 1. Generate a Firefox extension skeleton with JPM 2. Modify the install.rdf to use <em:id>firstname.lastname@example.org.</em:id> 3. Submit the extension to be signed my Mozilla as an unlisted add-on 4. Download the add-on and verify that <em:id> field is unchanged. Actual results: The extension was signed although there are other extensions with the same ID field. Expected results: Mozilla should refuse to sign the extension. Bug #1303418 is designed to mitigate auto-update attacks but it is not effective as implemented. Additional checking needs to be done during the signing process. https://bugzilla.mozilla.org/show_bug.cgi?id=1303418
Summary: Insufficient ID checking of add-ons during the auto-update/signing process → Insufficient ID checking of add-ons during the signing (and also auto-update) process
I think this is a duplicate. Checking.
status-firefox49: --- → affected
tracking-firefox49: --- → +
Group: firefox-core-security → client-services-security
Component: Untriaged → Security
Product: Firefox → addons.mozilla.org
This isn't a bug in Firefox.
status-firefox49: affected → ---
tracking-firefox49: + → ---
Your add-on has a period on the end of the ID: email@example.com. vs firstname.lastname@example.org Those are two different add-ons to AMO and (as far as I know) to Firefox. Are you suggesting that Firefox treats them as the same? The add-on manager shows them as two different add-ons. When I try to sign your add-on (with a period on the end): test $ jpm sign --api-key=... --api-secret=... JPM [warning] Using existing install.rdf. This file is usually auto-generated. JPM [warning] Using existing bootstrap.js. This file is usually auto-generated. JPM [info] Created XPI for signing: /var/folders/15/3crpnr7j4sj75xynpsqkqbr00000gp/T/tmp-unsigned-xpi-8934Kk1lh4pRgFNCemail@example.com.-0.0.5.xpi JPM [error] Server response: You do not own this addon. ( status: 403 ) Unless I'm missing something I believe this is all working as intended.
Ah very sorry. I didn't realize that. This should be closed out, sorry for the false alarm :/
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.