Closed
Bug 1476369
Opened 6 years ago
Closed 6 years ago
Extension block request: Several add-ons that prevent about:addons from being opened
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: soeren.hentzschel, Assigned: TheOne)
References
Details
Attachments
(1 file)
6.10 KB,
application/zip
|
Details |
WebExtensions shouldn't be able to block the access to internal pages like about:addons or about:preferences, I guess. There are already WebExtensions in the wild doing exactly this. STR: 1. install the attached add-on 2. try to open about:addons Expected: The add-ons manager has been opened. Actual: Redirect to Google. There are websites prompting the user to install add-ons like this. Setting the security flag because the attached add-on is harmful (users can't acccess the add-ons manager to uninstall this or other add-ons).
Updated•6 years ago
|
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox63:
--- → affected
status-firefox-esr52:
--- → affected
status-firefox-esr60:
--- → affected
Comment 1•6 years ago
|
||
hi, judging on recent reports on various support channels there seems to be a malvertising wave redirecting and trapping users on various sites on a .cool tld. that's's posing as fake firefox updates and forcing users to install the addon attached in comment #0 to leave the trapping page: https://www.camp-firefox.de/forum/download/file.php?id=23325&mode=view next to fixing the underlying issue raised in this bug could we also take short-term action to blocklist all the addons from this author and/or which set this fraudulent "Gooogle" search provider redirecting to "https://bigsearches.com"?
Flags: needinfo?(mozilla)
Flags: needinfo?(jorge)
Comment 2•6 years ago
|
||
The underlying issue is covered in bug 1299571, and probably a bunch of dupes. ni to Andreas and Philipp to investigate the reports.
Flags: needinfo?(philipp)
Flags: needinfo?(jorge)
Flags: needinfo?(awagner)
Updated•6 years ago
|
Flags: needinfo?(mozilla)
Comment 4•6 years ago
|
||
We've had a few add-ons do this before which we have blocked. There are enough techniques to prevent about:addons from being visible to the user that it would be difficult to block all methods and it would turn into a rat race to prevent developers from doing so. I'm leaving NI to Andreas since he can search all our add-on files.
Flags: needinfo?(philipp)
Assignee | ||
Comment 5•6 years ago
|
||
I can look into this, but given the drawbacks of the current approach we use, it might take a few days.
status-firefox61:
affected → ---
status-firefox62:
affected → ---
status-firefox63:
affected → ---
status-firefox-esr52:
affected → ---
status-firefox-esr60:
affected → ---
Component: General → Blocklisting
Flags: needinfo?(awagner)
Product: WebExtensions → Toolkit
Version: 61 Branch → unspecified
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → awagner
Assignee | ||
Comment 6•6 years ago
|
||
Extension name: Smash Extension UUID: {c1cf1f13-b257-4271-b922-4c57c6b6e047} Extension versions to block: * Applications, versions, and platforms affected: * Block severity: hard Homepage, AMO listing, other references and contact info: https://reviewers.addons.mozilla.org/en-US/reviewers/review-unlisted/9d7c712da7a940c185fb Reasons: Preventing about:addons from being opened
Assignee | ||
Comment 7•6 years ago
|
||
Homepage: hxxp://monzilla.download/
Updated•6 years ago
|
Group: toolkit-core-security
Assignee | ||
Updated•6 years ago
|
Summary: WebExtensions can block access to about:addons, about:preferences, about:config and other about:pages → Extension block request: Several add-ons that prevent about:addons from being opened
Comment 8•6 years ago
|
||
Hompage is also hxxp://ffinst25.download/ and install from hxxp://s3.amazonaws.com/ffext/smash-1.5us.xpi Extension UUID {cff02c70-7f07-4592-986f-7748a2abd9e1}
Assignee | ||
Comment 9•6 years ago
|
||
I found a lot more add-ons, here is the full list: {1882a9ce-c0e3-4476-8185-f387fe269852} {4d8b44ef-9b8b-4d82-b668-a49648d2749d} {92b9e511-ac81-4d47-9b8f-f92dc872447e} {3c841114-da8c-44ea-8303-78264edfe60b} {116a0754-20eb-4fe5-bd35-575867a0b89e} {6e6ff0fd-4ae4-49ae-ac0c-e2527e12359b} {f992ac88-79d3-4960-870e-92c342ed3491} {6ecb9f49-90f0-43a1-8f8a-e809ea4f732b} {08c28c16-9fb6-4b32-9868-db37c1668f94} {b4ab1a1d-e137-4c59-94d5-4f509358a81d} {feedf4f8-08c1-451f-a717-f08233a64ec9} {9ce66491-ef06-4da6-b602-98c2451f6395} {654b21c7-6a70-446c-b9ac-8cac9592f4a9} {f73636fb-c322-40e1-82fb-e3d7d06d9606} {e60616a9-9b50-49d8-b1e9-cecc10a8f927} {4853541f-c9d7-42c5-880f-fd460dbb5d5f} {e771e094-3b67-4c33-8647-7b20c87c2183} {8b04086b-94a5-4161-910b-59e3e31e4364} {ce043eac-df8a-48d0-a739-ef7ed9bdf2b5} {507a5b13-a8a3-4653-a4a7-9a03099acf48} {bfe3f6c1-c5fe-44af-93b3-576812cb6f1b} {dfa4b2e3-9e07-45a4-a152-cde1e790511d} {635cb424-0cd5-4446-afaf-6265c4b711b5} {248eacc4-195f-43b2-956c-b9ad1ae67529} {fc11e7f0-1c31-4214-a88f-6497c27b6be9} {be572ad4-5dd7-4b6b-8204-5d655efaf3b3} {03b3ac4d-59a3-4cc6-aa4d-9b39dd8b3196} {84b20d0c-9c87-4340-b4f8-1912df2ae70d} {bd1f666e-d473-4d13-bc4d-10dde895717e} {d64c923e-8819-488c-947f-716473d381b2} {52d456e5-245a-4319-b8d2-c14fbc9755f0} {a71b10ae-b044-4bf0-877e-c8aa9ad47b42} {1e1acc1c-8daa-4c2e-ad05-5ef01ae65f1e} {d147e8c6-c36e-46b1-b567-63a492390f07} {8cd69708-2f5e-4282-a94f-3feebc4bce35} {bf2a3e58-2536-44d4-b87f-62633256cf65} {0ede8d39-26f2-49c4-8014-dfc484f54a65} {328f931d-83c1-4876-953c-ddc9f63fe3b4} {9c8b93f7-3bf8-4762-b221-40c912268f96} {476a1fa9-bce8-4cb4-beff-cb31980cc521} {0c72a72d-6b2e-4a0e-8a31-16581176052d} {65d40b64-b52a-46d8-b146-580ff91889cb} {90741f13-ab72-443f-a558-167721f64883} {0e1c683e-9f34-45f1-b365-a283befb471a} {40c9030f-7a2f-4a58-9d0a-edccd8063218} {3f951165-fd85-42ae-96ef-6ff589a1fe72} {5c9a2eca-2126-4a84-82c0-efbf3d989371} {d1b87087-09c5-4e58-b01d-a49d714da2a2} {f4e4fc03-be50-4257-ae99-5cd0bd4ce6d5} {4d25d2b4-6ae7-4a66-abc0-c3fca4cdddf6} {a33358ad-a3fa-4ca1-9a49-612d99539263} {c1cf1f13-b257-4271-b922-4c57c6b6e047} {eff5951b-b6d4-48f5-94c3-1b0e178dcca5} {198627a5-4a7b-4857-b074-3040bc8effb8} {bfc5ac5f-80bd-43e5-9acb-f6d447e0d2ce} {0668b0a7-7578-4fb3-a4bd-39344222daa3} {0ccfc208-8441-4c27-b1cb-799accb04908} {531bf931-a8c6-407b-a48f-8a53f43cd461} {95afafef-b580-4f66-a0fe-7f3e74be7507} {b48e4a17-0655-4e8e-a5e2-3040a3d87e55} {5921be85-cddd-4aff-9b83-0b317db03fa3} {b6166509-5fe0-4efd-906e-1e412ff07a04} {dec15b3e-1d12-4442-930e-3364e206c3c2} {08a3e913-0bbc-42ba-96d7-3fa16aceccbf} {7fea697d-327c-4d20-80d5-813a6fb26d86} {7322a4cb-641c-4ca2-9d83-8701a639e17a} {f26a8da3-8634-4086-872e-e589cbf03375} {e82c0f73-e42c-41dd-a686-0eb4b65b411c} {afa64d19-ddba-4bd5-9d2a-c0ba4b912173} {7082ba5c-f55e-4cd8-88d6-8bc479d3749e} {04c86cb3-5f52-4083-9e9a-e322dd02181a} {824985b9-df2a-401c-9168-749960596007} {b06bfc96-c042-4b34-944c-8eb67f35630a} {dfcda377-b965-4622-a89b-1a243c1cbcaf} {0be01832-7cce-4457-b8ad-73b743914085} {90e8aa72-a7eb-4337-81d4-538b0b09c653} {24f338d7-b539-49f1-b276-c9edc367a32d} {b4ec2f8e-57fd-4607-bf4f-bc159ca87b26} {42f3034a-0c4a-4f68-a8fd-8a2440e3f011} {a6ad792c-69a8-4608-90f0-ff7c958ce508} {cf62e95a-8ded-4c74-b3ac-f5c037880027} {118bf5f6-98b1-4543-b133-42fdaf3cbade} {5e5b9f44-2416-4669-8362-42a0b3f97868} {060c61d8-b48f-465d-aa4b-23325ea757c3} {544c7f83-ef54-4d17-aa91-274fa27514ef} {546ea388-2839-4215-af49-d7289514a7b1} {1fc1f8e6-3575-4a6f-a4d1-c4ca1c36bd2a} {b8467ec4-ff65-45f4-b7c5-f58763bf9c94} {5571a054-225d-4b65-97f7-3511936b3429} {447fa5d3-1c27-4502-9e13-84452d833b89} {d734e7e3-1b8e-42a7-a9b3-11b16c362790} {3a1d6607-e6a8-4012-9506-f14cd157c171} {c3d61029-c52f-45df-8ec5-a654b228cd48} {a7775382-4399-49bf-9287-11dbdff8f85f} {41f97b71-c7c6-40b8-83b1-a4dbff76f73d} {f5128739-78d5-4ad7-bac7-bd1af1cfb6d1} {b9dcdfb0-3420-4616-a4cb-d41b5192ba0c} {db1a103d-d1bb-4224-a5e1-8d0ec37cff70} {9e734c09-fcb1-4e3f-acab-04d03625301c} {cff02c70-7f07-4592-986f-7748a2abd9e1} {d14adc78-36bf-4cf0-9679-439e8371d090} {3bb6e889-ac7a-46ca-8eed-45ba4fbe75b5} {02e3137a-96a4-433d-bfb2-0aa1cd4aed08} {6fb8289d-c6c8-4fe5-9a92-7dc6cbf35349}
Status: NEW → ASSIGNED
Assignee | ||
Comment 10•6 years ago
|
||
Philipp, the block has been staged. Could you please review and approve?
Flags: needinfo?(philipp)
Assignee | ||
Comment 11•6 years ago
|
||
There are a few additional ones by the authors of those that don't prevent about:addons to be opened but still to block-worthy stuff like remote script injection and search engine redirect. Also, they have proven themselves as bad actors. @googledashboard @smashdashboard @smash_tv @smash_mov @smashmovs @smashtvs @FirefoxUpdate {a512297e-4d3a-468c-bd1a-f77bd093f925} {10b0f607-1efa-4762-82a0-e0d9bbae4e48} {8dc21e24-3883-4d01-b486-ef1d1106fa3d} {e517649a-ffd7-4b49-81e0-872431898712} {3f3bcb3e-dd73-4410-b102-60a87fcb8323} {944ed336-d750-48f1-b0b5-3c516bfb551c} {c0b8009b-57dc-45bc-9239-74721640881d} {8f8cc21a-2097-488f-a213-f5786a2ccbbf} {e4c5d262-8ee4-47d3-b096-42b8b04f590d} {75b7af0d-b4ed-4320-95c8-7ffd8dd2cb7c} {65c1967c-6a5c-44dd-9637-0d4d8b4c339b} {c39e7c0b-79d5-4137-bef0-57cdf85c920f} {77fe9731-b683-4599-9b06-a5dcea63d432} {57ea692b-f9fe-42df-bf5e-af6953fba05a} Philipp, I have extended to block to those add-ons.
Assignee | ||
Comment 13•6 years ago
|
||
Jorge, can you please review and approve?
Flags: needinfo?(philipp) → needinfo?(jorge)
Comment 14•6 years ago
|
||
Done.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jorge)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•