Insufficient ID checking of add-ons during the signing (and also auto-update) process

RESOLVED INVALID

Status

addons.mozilla.org
Security
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Joshua Yabut, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8792988 [details]
hackedbynsalol-0.0.5-fx.xpi

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce:

1. Generate a Firefox extension skeleton with JPM
2. Modify the install.rdf to use <em:id>https-everywhere-eff@eff.org.</em:id> 
3. Submit the extension to be signed my Mozilla as an unlisted add-on
4. Download the add-on and verify that <em:id> field is unchanged.


Actual results:

The extension was signed although there are other extensions with the same ID field.


Expected results:

Mozilla should refuse to sign the extension. Bug #1303418 is designed to mitigate auto-update attacks but it is not effective as implemented. Additional checking needs to be done during the signing process. https://bugzilla.mozilla.org/show_bug.cgi?id=1303418
(Reporter)

Updated

2 years ago
Summary: Insufficient ID checking of add-ons during the auto-update/signing process → Insufficient ID checking of add-ons during the signing (and also auto-update) process
I think this is a duplicate. Checking.
status-firefox49: --- → affected
tracking-firefox49: --- → +

Updated

2 years ago
Group: firefox-core-security → client-services-security
Component: Untriaged → Security
Product: Firefox → addons.mozilla.org
This isn't a bug in Firefox.
status-firefox49: affected → ---
tracking-firefox49: + → ---

Comment 3

2 years ago
Your add-on has a period on the end of the ID: https-everywhere-eff@eff.org. vs https-everywhere-eff@eff.org

Those are two different add-ons to AMO and (as far as I know) to Firefox. Are you suggesting that Firefox treats them as the same?

The add-on manager shows them as two different add-ons.

When I try to sign your add-on (with a period on the end):

test $ jpm sign --api-key=... --api-secret=...
JPM [warning] Using existing install.rdf. This file is usually auto-generated.
JPM [warning] Using existing bootstrap.js. This file is usually auto-generated.
JPM [info] Created XPI for signing: /var/folders/15/3crpnr7j4sj75xynpsqkqbr00000gp/T/tmp-unsigned-xpi-8934Kk1lh4pRgFNC/https-everywhere-eff@eff.org.-0.0.5.xpi
JPM [error] Server response: You do not own this addon. ( status: 403 )

Unless I'm missing something I believe this is all working as intended.
(Reporter)

Comment 4

2 years ago
Ah very sorry. I didn't realize that. This should be closed out, sorry for the false alarm :/

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Group: client-services-security
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.