Closed Bug 1383392 Opened 7 years ago Closed 7 years ago

Extension installed an executable file without user consent

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
Unspecified
Windows
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: visco, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

1. Go to https://addons.mozilla.org/en-US/firefox/addon/fireshot/
2. Add to Firefox
3. Restart
(Actually, what's even worse, one might have this extension installed for quite a while without any complaints - and then suddenly discover that it silently installs a standalone .exe with an update of 22-07-2017)


Actual results:

A standalone application (fireshot.exe) starts as a child process of Firefox and places its icon in system tray - WITHOUT USER CONSENT. I don't like the fact that it is even possible for extension authors to install standalone executables silently, without any warnings or options displayed - an executable that is able to interact with my system outside of Firefox!

Extension permissions as of 22-07-2017:

"Some add-ons ask for permission to perform certain functions. Since you’re in control of your Firefox, the choice to grant or deny these requests is yours.

Please note this add-on uses legacy technology, which gives it access to all browser functions and data without requesting your permission."

- No choice was given whatsoever.

Privacy policy as of 22-07-2017:

"This extension uses Google Analytics to track the JavaScript errors caused by the extension. FireShot sends only the text of the error with the app-specific data. This data is processed only by the FireShot team and is never shared.

The personal user data, navigation history or cookies are never sent."

- No mentions of installing executables to user's system whatsoever.


Expected results:

Firefox should enforce asking for user consent in cases like this, if allow such installations at all.
Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit
This is a legacy extension, the browser has very limited ability to limit what it can do.
You can follow up with the addons.mozilla.org (AMO) admins if you think that the addon is deceptive or is violating some other AMO policy.
I don't think this is exactly the right component but it should get us one step closer to the right place for it to get addressed.
Component: Add-ons Manager → Extension Compatibility
Product: Toolkit → Firefox
I must confess, those lines about access to all browser functions sneaked past my attention somehow.. Still, that was a kind of behavior too excessive and unexpected even for an extension with full access to all browser functions - i.e. I could imagine that a legacy extension can download anything, but the fact it is also capable of starting an executable caught me by surprise.. Alright then, let's attribute that to my less than perfect understanding of inner workings of extensions; It is only now that I completely got the rationale for phasing out legacy..

Nonetheless, as I see it, this case shouldn't get past the extension review process at Mozilla. There's already a bunch of one-star user reviews with complaints about this particular update, but I couldn't find any mechanism to report an extension to admins at addons.mozilla.org - could you kindly suggest a way to do that?
Component: Extension Compatibility → Blocklisting
Product: Firefox → Toolkit
Version: 54 Branch → unspecified
I filed bug 1385527.

I understand the discussion here so far has been about addon capabilities, but I'm confused about the inaction on the addon in question.

Please have a look at the current state of the reviews on it: https://addons.mozilla.org/en-US/firefox/addon/fireshot/reviews/
It is a long list of one star reviews talking about this one issue.

I'll paste some of the complaints listed:
  "Automatically install "Fireshot for Desktop" and it's not have options to disable or remove. Sad but goodbye fireshot."
  "Same as previous review.Installes a desktop app with no notice or permission. Can't be disabled. Always shows Icon in top right screen windows."
  "I install a Mozilla Firefox add-on, I use it for a couple of years without an issue, then one day it shows up as *Microsoft Outlook toolbar* without prior notice or consent. What do the plug-in authors think I would do?" 
(emphasis mine)

Multiple reviewers report that this is running an executable on their system without permission and please note the user reporting the new Outlook toolbar it installed.

This is acting like malware and seems a major overreach. Is this not actionable?

At the moment we have no idea what this executable is doing on users' systems.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Windows
Legacy add-ons have always been able to include libraries in their file as part of their functionality. Those libraries were reviewed to the best of our capabilities, but there was always a level of trust that was needed between reviewers and developers.

Add-ons that use the WebExtensions API can't include libraries in the same way. They can only use the NativeConnect API, which interacts with external applications via messaging. This means that such an add-on needs the application to be installed separately in their system.

This poses problem for add-ons that are transitioning from legacy to WebExtensions APIs. If the application is not installed *before* the transition, then the add-on won't work right away when it migrates. The WebExtension APIs also make it difficult for the developer to request installation of this application. After much discussion, the Add-ons Team decided to make a policy exception for add-ons going through this process. This means legacy add-ons planning to move to WebExtensions APIs that rely on binaries are allowed to install the external binary in anticipation for their migration to WebExtensions. This isn't a great solution, but the alternatives are also pretty bad. This at least ensures a smooth transition for users.

I'll reiterate that this add-on already included binaries with fairly liberal access to the user's system, so there isn't a very significant change in its security. The move to the WebExtensions API is a net win in this regard.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Thank you for the clarification! Still, should the developer of extension in question make it clear (that standalone executable is an officially endorsed trade-off to facilitate transition to WebExtension) to his user base, I guess he'd spare himself quite an overwhelming number of unanimously negative reviews...
Just to be clear: users should be informed, maybe by a pop-up of some kind at addons.mozilla.org, that there's now a deliberate exception in policy due to reasons already stated.
The add-ons developer has been notified that he should upload a new version to addons.mozilla.org which displays a notice to the user before installation of the external binary.
To be clear, we don't know and can't know if the executables being installed are malicious or not, correct?

This is obviously an argument against legacy addons. 
Would be nice if there were a way to mitigate for similar situations in the meantime.
It's been standard practice to test binaries in add-ons on https://virustotal.com/, so we're not completely blind to security issues. The only way to be certain about safety in a binary would be to thoroughly inspect the sources and reproduce the build process to ensure it matches the binary. We've tried a similar approach before, and it just doesn't scale.
You need to log in before you can comment on or make changes to this bug.