1435937 - WebExtension Firefox sync poisioning

Status: RESOLVED DUPLICATE of bug 1415644

(WebExtensions :: General, defect)

Description

[FLR]

Attachment: FirefoxsyncPoisoning.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180128191252

Steps to reproduce:

Whenever a Firefox instance haven't been sync yet, a malicious extension with a content script host that includes https://account.firefox.com (for example: "https://*.firefox.com/*") can bind the instance to a malicious account. Therefore, one can poison bookmarks, tabs, preferences, etc. or retrieve data from the victim.

In particular preference poisoning can lead to several security issues (for example see BUG 1430980, BUG 1431581). Moreover, with BUG 1430980, it is possible to access file on the filesystem using the technique described in BUG 1435933 without requiring the tabs.executeScript privilege in about:newTab or about:home.


Actual results:

The attachment is a extension POC which upon loading will open a new tab to https://accounts.firefox.com set the username and password defined in background.js and submit the form.

If the Firefox instance haven't been sync yet no warning will show up and Firefox will be sync to the malicious account.


Expected results:

Firefox sync related URL should be considered has privileged ressources in respect of WebExtensions.

Comment 1

[:Gijs (he/him)]

:jkt, how is your work on bug 1415644 going?

Comment 2

[Jonathan Kingston [:jkt] he/him]

I was reworking the patch to take any number of hostnames to restrict upon. I'm working around a compiler error at the moment. I'll prioritise this over other work.

Comment 3

[Daniel Veditz [:dveditz]]

This would be fixed by bug 1415644 (prevent addons from accessing accounts.firefox.com).