Last Comment Bug 1314332 - Web of TrusT (WOT) Addon is malicious according to news reports
: Web of TrusT (WOT) Addon is malicious according to news reports
Status: NEW
: csectype-disclosure, privacy
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: Unspecified Unspecified
: -- critical with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Jorge Villalobos [:jorgev]
Mentors:
https://www.mywot.com/en/privacy/priv...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-01 10:29 PDT by Daniel Rieken
Modified: 2016-11-05 09:14 PDT (History)
14 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description User image Daniel Rieken 2016-11-01 10:29:25 PDT
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160905130425

Steps to reproduce:

Please unlist Web of TrusT (WOT) Addon from https://addons.mozilla.org.
The addon is spyware and sells your privat data! Can be traced back to individual persons!

German NDR (Northern German Broadcasting) is a public radio and television broadcaster discovered the WOT-Addon is spyware, see here (website is in german language):
http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-Nutzer-ausgespaeht,nacktimnetz100.html

See also (websites are in german language):
- https://heise.de/-3453820
- http://www.spiegel.de/netzwelt/web/web-of-trust-browser-add-on-spioniert-angeblich-nutzer-aus-a-1119236.html

Translated using google translate:
https://translate.google.de/translate?sl=auto&tl=en&js=y&prev=_t&ie=UTF-8&u=https%3A%2F%2Fheise.de%2F-3453820&edit-text=&act=url


Actual results:

-


Expected results:

1. Unlist Web of TrusT (WOT) Addon from your website: https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
2. Disable already installed Web of TrusT (WOT) addons like you do with old and unsecure Adobe Flash plugins.
Comment 2 User image Jorge Villalobos [:jorgev] 2016-11-02 08:42:31 PDT
We haven't decided if this is happening yet. I just moved it to the right component.
Comment 3 User image Rob Wu [:robwu] 2016-11-02 14:08:11 PDT
I found evidence of a critical issue: WOT is able to remotely executing arbitrary commands on any page (including privileged parts of Firefox) if they wanted to.

For the full analysis, see https://gist.github.com/Rob--W/bda5f28a0ac3b877780c6665bbed2e1b
Comment 4 User image Jorge Villalobos [:jorgev] 2016-11-02 16:08:39 PDT
(In reply to Rob Wu [:robwu] from comment #3)
> I found evidence of a critical issue: WOT is able to remotely executing
> arbitrary commands on any page (including privileged parts of Firefox) if
> they wanted to.

It's worth pointing out that remote code execution is not a rare occurrence in add-ons, though we generally don't allow it (sometimes it's overlooked by reviewers).

Thank you for the detailed report, though, it should make it easier to determine what to do here.
Comment 5 User image Rob Wu [:robwu] 2016-11-03 08:44:19 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> (In reply to Rob Wu [:robwu] from comment #3)
> > I found evidence of a critical issue: WOT is able to remotely executing
> > arbitrary commands on any page (including privileged parts of Firefox) if
> > they wanted to.
> 
> It's worth pointing out that remote code execution is not a rare occurrence
> in add-ons, though we generally don't allow it (sometimes it's overlooked by
> reviewers).

Indeed, add-ons such as userscript managers have a legitimate need for code execution. But WOT does not need this ability, and definitely not the ability to run remote code anywhere, including about: pages (such as about:preferences). That power enables WOT to seize control of a computer if they wanted to, so the add-on (versions 20090918 until 20151208) should be blacklisted. Once they upload a new version without this "feature", we can reconsider listing the add-on.
Comment 6 User image Sami Tolvanen 2016-11-03 16:30:49 PDT
(Note: I'm the original author of this extension, but haven't been affiliated with it for the past few years, during which time I believe there's been an ownership change.)

(In reply to Rob Wu [:robwu] from comment #5)
> But WOT does not need this ability, and definitely not the
> ability to run remote code anywhere

This functionality was quite necessary in 2009 when mutation observers didn't exist and Google started switching to dynamic search result pages. I fully agree that it shouldn't be needed these days though.

However, the actual issue that's being widely discussed in German media, which both you and AMO reviewers at the time appear to have completely missed was introduced in 2015 in this commit:

https://github.com/mywot/firefox-xul/commit/0df107cae8ac18901bd665acace4b369c244a3f9

This change adds logging of each visited URL and clearly attempts to obfuscate the traffic with double Base-64 encoding. Definitely sounds like something that should have been indicated to users.

Note You need to log in before you can comment on or make changes to this bug.