Closed Bug 1336805 Opened 8 years ago Closed 8 years ago

Please make unlisted and listed addons visually different in about:addons

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Version:
54 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: petcuandrei, Unassigned)

Details

Attachments

(4 files)

unsigned_ublock_that_replaces_lastpass.xpi
1.48 MB, application/x-xpinstall
Details
unsigned_ublock.png
21.33 KB, image/png
Details
my_fake_signed_ublock.png
7.69 KB, image/png
Details
proposed_ui_for_unlisted_addons.png
37.36 KB, image/png
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170205110539

Steps to reproduce:

Install an unlisted addon let's say https://www.lastpass.com/

Install a listed addon for example https://addons.mozilla.org/en-US/android/addon/ublock-origin/

Open about:addons


Actual results:

They both look the same in about:addons but uBlock Origin passed the code review while Lastpass did not. Lastpass is less trusted than uBlock Origin since it is has few restrictions than uBlock Origin.


Expected results:

Unsiged addons look totally different in about:addons than signed addons. Unlisted addons need to be somehow visually different also.

I added a addon that is unlisted, looks like a real uBlock Origin but actually replaces both uBlock Origin and Lastpass and the fake addons look like the ones that passed the code review. This issue can be used for phishing.

I reported a security issue on this also https://bugzilla.mozilla.org/show_bug.cgi?id=1321966
Attached image unsigned_ublock.png 

    
    

    
  


  

    
    

    
  
I added 2 files for the signed vs unsigned addons. They are clearly visually different. I think maybe there can a listed/unlisted UI that is similar to listed/unlisted.

I could even try to work on this if the devs consider this bug an easy bug :) (I am a n00b in Firefox development)

    
    

    
  
Here is a link that does not have the xpi-install content type so you can download the addon https://my.owndrive.com/index.php/s/cseG7IASuiDHgaG/download

    
  
Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit

    
    

    
  
I made a sample phishing web site to show the possible risk.

https://andreicristianpetcu.github.io/ublockphishing/

This addon basically replaces both uBlock Origin and Lastpass with fake ones that only have a different description.

    
    

    
  
You seem to be confusing two different things: signed versus unsigned and listed versus unlisted.  Unsigned extensions cannot be installed in release or beta channel browsers at all.  As for unlisted, we have a different flow at install time (since unlisted addons are not installed directly from AMO there is an extra dialog that the user must accept).  Once the extension has been installed, we don't have an easy way to distinguish listed from unlisted.  It is technically feasible to add it but we would need a strong justification to add a bunch of new code.
Markus, any thoughts?
Flags: needinfo?(mjaritz)

    
    

    
  


  
Added a UI mockup for unlisted addons inspired by the unsigned extensions.

    
    

    
  
I don't confuse signed and unsigned addons. I want to see a warning message for the unlisted addons that is similar to the one in the unsigned addons. I added a sample print screen.

Please look at the demo web site I created. As a user I want to see a clear difference in the UI between listed and unlisted addons. My demo web site can replace one addon of the user and the user does not even know. My addons seem to be created by the Last Pass Dev team and by Raymond Hill. I am not the Lastpass dev team and I am not Raymond Hill. I should not be able to trick the user like this.

Unlisted addons can track users, can have DLL files, do not pass a manual code review (just an automated one), can execute remote code, can store data from private windows, can change user data without consent. It makes sense to see them differently in about:addons.
https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews

    
    

    
  
Just as I used uBlock Origin to replace the user's Lastpass, I can replace all of the user's extensions with just one click and one link. One click in uBlock Origin and I own all of his or her extensions, not just uBlock Origin.

    
    

    
  
Unlisted add-ons are not by definition less safe than listed ones or even malicious. Also, there are valid use cases where we require add-ons to be unlisted. Legitimate unlisted add-ons should not be punished with a scary warning just because they did not meet our requirements to be listed.

If we come across a malicious add-on, no matter whether it's listed or unlisted, we can keep Firefox users safe by blocklisting it.

I think the warning message we show for unlisted add-ons before install is enough.

    
    

    
  
I know that unlisted addons are needed but they can do pretty dangerous stuff. Please take a look at my video. It has a little more than one minute. https://vimeo.com/202760093

I made a small mistake in the video, I need to rename the author of the fake Lastpass addon from "LastPass Dev Team" to "LastPass", this is a minor change. You get the idea.

    
    

    
  
I am not the one to judge the risk of unlisted extensions - or this form of attack, this is more of a security, policy, review question first. - I trust Andreas' judgement on that:

(In reply to Andreas Wagner [:TheOne] from comment #10)
> If we come across a malicious add-on, no matter whether it's listed or
> unlisted, we can keep Firefox users safe by blocklisting it.
> 
> I think the warning message we show for unlisted add-ons before install is
> enough.


If they see it as a big enough risk, showing a message in the addons manager will not solve it. Most people will not see that message as they will not go to the addons manager after installing the malicious extension.
Flags: needinfo?(mjaritz)

    
    

    
  
Added kev and rhelmer in case they'd like to chime in on this.

    
    

    
  
I agree with Andreas here. As long as the installation process is transparent, I don't think there's additional value in showing more warnings.

    
    

    
  
The problem is that it is not transparent. The user clicks "Update uBlock Origin" then sees the uBlock Origin installer and then ends up with Lastpass. I never saw a warning about Lastpass.

    
  
Flags: needinfo?(amckay)

    
    

    
  
With Firefox 57 unlisted add-ons will not be able to do anything more dangerous than a listed add-on as they are all WebExtensions. As noted in comment 10 if we come across a malicious listed or unlisted add-on it is removed. As noted in comment 12 showing a warning to a user is pointless because its too late (and we query the danger proposed in the first place).

At this point I'm not seeing much support for your proposal, so won't fixing.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(amckay)
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: