Closed Bug 1314332 Opened 9 years ago Closed 8 years ago

Block Web of TrusT (WOT) Add-on due to security and privacy issues

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: danielrieken89, Assigned: jorgev)

References

(
URL
)

Details

(Keywords: csectype-disclosure, privacy)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160905130425 Steps to reproduce: Please unlist Web of TrusT (WOT) Addon from https://addons.mozilla.org. The addon is spyware and sells your privat data! Can be traced back to individual persons! German NDR (Northern German Broadcasting) is a public radio and television broadcaster discovered the WOT-Addon is spyware, see here (website is in german language): http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-Nutzer-ausgespaeht,nacktimnetz100.html See also (websites are in german language): - https://heise.de/-3453820 - http://www.spiegel.de/netzwelt/web/web-of-trust-browser-add-on-spioniert-angeblich-nutzer-aus-a-1119236.html Translated using google translate: https://translate.google.de/translate?sl=auto&tl=en&js=y&prev=_t&ie=UTF-8&u=https%3A%2F%2Fheise.de%2F-3453820&edit-text=&act=url Actual results: - Expected results: 1. Unlist Web of TrusT (WOT) Addon from your website: https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ 2. Disable already installed Web of TrusT (WOT) addons like you do with old and unsecure Adobe Flash plugins.
Summary: Web of TrusT (WOT) Addon → Web of TrusT (WOT) Addon is malicious according to news reports
Component: Untriaged → Security
Product: Firefox → addons.mozilla.org
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
We haven't decided if this is happening yet. I just moved it to the right component.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I found evidence of a critical issue: WOT is able to remotely executing arbitrary commands on any page (including privileged parts of Firefox) if they wanted to. For the full analysis, see https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b
(In reply to Rob Wu [:robwu] from comment #3) > I found evidence of a critical issue: WOT is able to remotely executing > arbitrary commands on any page (including privileged parts of Firefox) if > they wanted to. It's worth pointing out that remote code execution is not a rare occurrence in add-ons, though we generally don't allow it (sometimes it's overlooked by reviewers). Thank you for the detailed report, though, it should make it easier to determine what to do here.
(In reply to Jorge Villalobos [:jorgev] from comment #4) > (In reply to Rob Wu [:robwu] from comment #3) > > I found evidence of a critical issue: WOT is able to remotely executing > > arbitrary commands on any page (including privileged parts of Firefox) if > > they wanted to. > > It's worth pointing out that remote code execution is not a rare occurrence > in add-ons, though we generally don't allow it (sometimes it's overlooked by > reviewers). Indeed, add-ons such as userscript managers have a legitimate need for code execution. But WOT does not need this ability, and definitely not the ability to run remote code anywhere, including about: pages (such as about:preferences). That power enables WOT to seize control of a computer if they wanted to, so the add-on (versions 20090918 until 20151208) should be blacklisted. Once they upload a new version without this "feature", we can reconsider listing the add-on.
(Note: I'm the original author of this extension, but haven't been affiliated with it for the past few years, during which time I believe there's been an ownership change.) (In reply to Rob Wu [:robwu] from comment #5) > But WOT does not need this ability, and definitely not the > ability to run remote code anywhere This functionality was quite necessary in 2009 when mutation observers didn't exist and Google started switching to dynamic search result pages. I fully agree that it shouldn't be needed these days though. However, the actual issue that's being widely discussed in German media, which both you and AMO reviewers at the time appear to have completely missed was introduced in 2015 in this commit: https://github.com/mywot/firefox-xul/commit/0df107cae8ac18901bd665acace4b369c244a3f9 This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users.
Let's go forward with this and block all versions <= 20151208 (GUID: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} )
(oops, hit send too early) "... if there are no objections."
Assignee: nobody → jorge
Summary: Web of TrusT (WOT) Addon is malicious according to news reports → Block Web of TrusT (WOT) Add-on due to security and privacy issues
Current versions of WoT are now blocked: https://addons.mozilla.org/firefox/blocked/i1523
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
We understand the importance and urgency of the issues raised and are working to fix them. Please consider removing us from the blacklist while we are in the process of developing a new version that addresses all open issues. The blacklisting of the WOT extension has a strong negative impact on users who were relying on WOT as a security extension for their browser, leaving them unprotected. We are working to upload it ASAP and kindly request a grace period.
You've been warned about these issues and the consequences of not addressing them within a reasonable time frame, since November. Once a new version of your add-on passes review, users will be updated to it and the block won't apply anymore. Current users who are okay with the risks can re-enable the add-on in the Add-ons Manager.
You need to log in before you can comment on or make changes to this bug.