1387818 - browser.tabs API vulnerability

Status: RESOLVED DUPLICATE of bug 1299571

(WebExtensions :: General, defect)

Description

[osam]

Attachment: hackFirefox.tar.gz

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170630112252

Steps to reproduce:

Install demonstration extension from attached file.
For that go to "about:debugging" tab and click "Load temporary add-on".
When extension installed try to open "Add-ons" or "Preferences#sync" pages.



Actual results:

WebExtension with "tabs" permission can intercept every tab including system pages such as "Preferences" and others. By combining tabs.onCreated(), tabs.onUpdated() events and tabs.update() method malware extension can replace any page faster than user saw it. This gives many abilities for attacker.
1. If extension blocking "about:addons" page and self page in AMO it cannot be uninstalled or disabled by normal user.
2. Extension can replace "about:preferences#sync" page for phishing Firefox account.
3. Extension can even block browser at all until user make buyout. Because (see 1.) you cannot uninstall it in normal way.
All this requires a few lines of code that can be easily hidden in a thousands lines of javaScript.


Expected results:

System pages such as "about:preferences" should be protected from webExtensions.

Comment 1

[:Gijs (he/him)]

What do Chrome, Edge and Safari do here? If you load any of their special pages in a tab, do add-ons get notified in the same way through the same APIs, and is navigation possible?