Open Bug 1475710 Opened 6 years ago Updated 2 years ago

consider making prompt to allow sites to trigger add-on installation scarier given its abuse in the wild


(Toolkit :: Add-ons Manager, defect, P3)





(Reporter: dbaron, Unassigned)




(1 file)

In bug 1465318 I reported a situation where the following happened:

 * a script, likely within an ad served for the site (I say this since the issue happened intermittently; it was injecting the script in a way that made the debugger no longer show the source of the script that was running) would:

   1. check for the presence of a cookie set by an add-on, and if it was present, skip the remaining steps

   2. go through the DOM and replace much of the text with garbage text (see the screenshot, where much of the page, normally in Chinese, has been replaced with ������).

   3. call InstallTrigger.install() on an XPI hosted on (see below for description of addon)

   4. place an overlay above the page darkening all of it out, overlaid with the text "Error 408: Encoding with UTF-16.</br>Install Firefox addon for unicode support.", and a big red arrow pointing to the dropdown triggered by InstallTrigger.install() (see screenshot)

 * the addon in question, if the user installed it, would do the following:

   1. set a cookie for all pages to make them trigger (1) in the list of steps above

   2. log some information to a server, and maybe some other things

Given that this addon, at the time I found it, had a few hundred installs, it seemed like this technique was succeeding at tricking users into installing an addon in order to make the broken web page work.

It seems to me that the current UI (see screenshot) doesn't do a great job of explaining what will happen when the user presses "Allow" or why it might not be a good idea.  I think this UI should be improved so that it's harder to trick users into using it.
Fwd to UX (note: the whole attached image is what the reporter is seeing -- that blue text is not his annotation).
Flags: needinfo?(emanuela)
Priority: -- → P3
:dbaron: thank you for your feedback and reporting this cases. 

 I think there is space for improving the messaging here. At the moment the add-ons ux team is pretty busy, but I think we can iterate on this in the next three weeks.
Flags: needinfo?(emanuela)
See Also: → 628041
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.