Closed Bug 1476369 Opened 2 years ago Closed 2 years ago

Extension block request: Several add-ons that prevent about:addons from being opened

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: soeren.hentzschel, Assigned: TheOne)

References

Details

Attachments

(1 file)

Attached file smash-2.12.xpi.zip
WebExtensions shouldn't be able to block the access to internal pages like about:addons or about:preferences, I guess. There are already WebExtensions in the wild doing exactly this.

STR:

1. install the attached add-on
2. try to open about:addons

Expected:

The add-ons manager has been opened.

Actual:

Redirect to Google.

There are websites prompting the user to install add-ons like this.

Setting the security flag because the attached add-on is harmful (users can't acccess the add-ons manager to uninstall this or other add-ons).
hi, judging on recent reports on various support channels there seems to be a malvertising wave redirecting and trapping users on various sites on a .cool tld. that's's posing as fake firefox updates and forcing users to install the addon attached in comment #0 to leave the trapping page: https://www.camp-firefox.de/forum/download/file.php?id=23325&mode=view

next to fixing the underlying issue raised in this bug could we also take short-term action to blocklist all the addons from this author and/or which set this fraudulent "Gooogle" search provider redirecting to "https://bigsearches.com"?
Flags: needinfo?(mozilla)
Flags: needinfo?(jorge)
The underlying issue is covered in bug 1299571, and probably a bunch of dupes. ni to Andreas and Philipp to investigate the reports.
Flags: needinfo?(philipp)
Flags: needinfo?(jorge)
Flags: needinfo?(awagner)
Flags: needinfo?(mozilla)
We've had a few add-ons do this before which we have blocked. There are enough techniques to prevent about:addons from being visible to the user that it would be difficult to block all methods and it would turn into a rat race to prevent developers from doing so.

I'm leaving NI to Andreas since he can search all our add-on files.
Flags: needinfo?(philipp)
I can look into this, but given the drawbacks of the current approach we use, it might take a few days.
Component: General → Blocklisting
Flags: needinfo?(awagner)
Product: WebExtensions → Toolkit
Version: 61 Branch → unspecified
Assignee: nobody → awagner
Extension name: Smash
Extension UUID: {c1cf1f13-b257-4271-b922-4c57c6b6e047}
Extension versions to block: *
Applications, versions, and platforms affected: *
Block severity: hard

Homepage, AMO listing, other references and contact info: https://reviewers.addons.mozilla.org/en-US/reviewers/review-unlisted/9d7c712da7a940c185fb

Reasons: Preventing about:addons from being opened
Homepage: hxxp://monzilla.download/
Group: toolkit-core-security
Summary: WebExtensions can block access to about:addons, about:preferences, about:config and other about:pages → Extension block request: Several add-ons that prevent about:addons from being opened
Hompage is also hxxp://ffinst25.download/
and install from hxxp://s3.amazonaws.com/ffext/smash-1.5us.xpi 
Extension UUID {cff02c70-7f07-4592-986f-7748a2abd9e1}
I found a lot more add-ons, here is the full list:

{1882a9ce-c0e3-4476-8185-f387fe269852}
{4d8b44ef-9b8b-4d82-b668-a49648d2749d}
{92b9e511-ac81-4d47-9b8f-f92dc872447e}
{3c841114-da8c-44ea-8303-78264edfe60b}
{116a0754-20eb-4fe5-bd35-575867a0b89e}
{6e6ff0fd-4ae4-49ae-ac0c-e2527e12359b}
{f992ac88-79d3-4960-870e-92c342ed3491}
{6ecb9f49-90f0-43a1-8f8a-e809ea4f732b}
{08c28c16-9fb6-4b32-9868-db37c1668f94}
{b4ab1a1d-e137-4c59-94d5-4f509358a81d}
{feedf4f8-08c1-451f-a717-f08233a64ec9}
{9ce66491-ef06-4da6-b602-98c2451f6395}
{654b21c7-6a70-446c-b9ac-8cac9592f4a9}
{f73636fb-c322-40e1-82fb-e3d7d06d9606}
{e60616a9-9b50-49d8-b1e9-cecc10a8f927}
{4853541f-c9d7-42c5-880f-fd460dbb5d5f}
{e771e094-3b67-4c33-8647-7b20c87c2183}
{8b04086b-94a5-4161-910b-59e3e31e4364}
{ce043eac-df8a-48d0-a739-ef7ed9bdf2b5}
{507a5b13-a8a3-4653-a4a7-9a03099acf48}
{bfe3f6c1-c5fe-44af-93b3-576812cb6f1b}
{dfa4b2e3-9e07-45a4-a152-cde1e790511d}
{635cb424-0cd5-4446-afaf-6265c4b711b5}
{248eacc4-195f-43b2-956c-b9ad1ae67529}
{fc11e7f0-1c31-4214-a88f-6497c27b6be9}
{be572ad4-5dd7-4b6b-8204-5d655efaf3b3}
{03b3ac4d-59a3-4cc6-aa4d-9b39dd8b3196}
{84b20d0c-9c87-4340-b4f8-1912df2ae70d}
{bd1f666e-d473-4d13-bc4d-10dde895717e}
{d64c923e-8819-488c-947f-716473d381b2}
{52d456e5-245a-4319-b8d2-c14fbc9755f0}
{a71b10ae-b044-4bf0-877e-c8aa9ad47b42}
{1e1acc1c-8daa-4c2e-ad05-5ef01ae65f1e}
{d147e8c6-c36e-46b1-b567-63a492390f07}
{8cd69708-2f5e-4282-a94f-3feebc4bce35}
{bf2a3e58-2536-44d4-b87f-62633256cf65}
{0ede8d39-26f2-49c4-8014-dfc484f54a65}
{328f931d-83c1-4876-953c-ddc9f63fe3b4}
{9c8b93f7-3bf8-4762-b221-40c912268f96}
{476a1fa9-bce8-4cb4-beff-cb31980cc521}
{0c72a72d-6b2e-4a0e-8a31-16581176052d}
{65d40b64-b52a-46d8-b146-580ff91889cb}
{90741f13-ab72-443f-a558-167721f64883}
{0e1c683e-9f34-45f1-b365-a283befb471a}
{40c9030f-7a2f-4a58-9d0a-edccd8063218}
{3f951165-fd85-42ae-96ef-6ff589a1fe72}
{5c9a2eca-2126-4a84-82c0-efbf3d989371}
{d1b87087-09c5-4e58-b01d-a49d714da2a2}
{f4e4fc03-be50-4257-ae99-5cd0bd4ce6d5}
{4d25d2b4-6ae7-4a66-abc0-c3fca4cdddf6}
{a33358ad-a3fa-4ca1-9a49-612d99539263}
{c1cf1f13-b257-4271-b922-4c57c6b6e047}
{eff5951b-b6d4-48f5-94c3-1b0e178dcca5}
{198627a5-4a7b-4857-b074-3040bc8effb8}
{bfc5ac5f-80bd-43e5-9acb-f6d447e0d2ce}
{0668b0a7-7578-4fb3-a4bd-39344222daa3}
{0ccfc208-8441-4c27-b1cb-799accb04908}
{531bf931-a8c6-407b-a48f-8a53f43cd461}
{95afafef-b580-4f66-a0fe-7f3e74be7507}
{b48e4a17-0655-4e8e-a5e2-3040a3d87e55}
{5921be85-cddd-4aff-9b83-0b317db03fa3}
{b6166509-5fe0-4efd-906e-1e412ff07a04}
{dec15b3e-1d12-4442-930e-3364e206c3c2}
{08a3e913-0bbc-42ba-96d7-3fa16aceccbf}
{7fea697d-327c-4d20-80d5-813a6fb26d86}
{7322a4cb-641c-4ca2-9d83-8701a639e17a}
{f26a8da3-8634-4086-872e-e589cbf03375}
{e82c0f73-e42c-41dd-a686-0eb4b65b411c}
{afa64d19-ddba-4bd5-9d2a-c0ba4b912173}
{7082ba5c-f55e-4cd8-88d6-8bc479d3749e}
{04c86cb3-5f52-4083-9e9a-e322dd02181a}
{824985b9-df2a-401c-9168-749960596007}
{b06bfc96-c042-4b34-944c-8eb67f35630a}
{dfcda377-b965-4622-a89b-1a243c1cbcaf}
{0be01832-7cce-4457-b8ad-73b743914085}
{90e8aa72-a7eb-4337-81d4-538b0b09c653}
{24f338d7-b539-49f1-b276-c9edc367a32d}
{b4ec2f8e-57fd-4607-bf4f-bc159ca87b26}
{42f3034a-0c4a-4f68-a8fd-8a2440e3f011}
{a6ad792c-69a8-4608-90f0-ff7c958ce508}
{cf62e95a-8ded-4c74-b3ac-f5c037880027}
{118bf5f6-98b1-4543-b133-42fdaf3cbade}
{5e5b9f44-2416-4669-8362-42a0b3f97868}
{060c61d8-b48f-465d-aa4b-23325ea757c3}
{544c7f83-ef54-4d17-aa91-274fa27514ef}
{546ea388-2839-4215-af49-d7289514a7b1}
{1fc1f8e6-3575-4a6f-a4d1-c4ca1c36bd2a}
{b8467ec4-ff65-45f4-b7c5-f58763bf9c94}
{5571a054-225d-4b65-97f7-3511936b3429}
{447fa5d3-1c27-4502-9e13-84452d833b89}
{d734e7e3-1b8e-42a7-a9b3-11b16c362790}
{3a1d6607-e6a8-4012-9506-f14cd157c171}
{c3d61029-c52f-45df-8ec5-a654b228cd48}
{a7775382-4399-49bf-9287-11dbdff8f85f}
{41f97b71-c7c6-40b8-83b1-a4dbff76f73d}
{f5128739-78d5-4ad7-bac7-bd1af1cfb6d1}
{b9dcdfb0-3420-4616-a4cb-d41b5192ba0c}
{db1a103d-d1bb-4224-a5e1-8d0ec37cff70}
{9e734c09-fcb1-4e3f-acab-04d03625301c}
{cff02c70-7f07-4592-986f-7748a2abd9e1}
{d14adc78-36bf-4cf0-9679-439e8371d090}
{3bb6e889-ac7a-46ca-8eed-45ba4fbe75b5}
{02e3137a-96a4-433d-bfb2-0aa1cd4aed08}
{6fb8289d-c6c8-4fe5-9a92-7dc6cbf35349}
Status: NEW → ASSIGNED
Philipp, the block has been staged. Could you please review and approve?
Flags: needinfo?(philipp)
There are a few additional ones by the authors of those that don't prevent about:addons to be opened but still to block-worthy stuff like remote script injection and search engine redirect. Also, they have proven themselves as bad actors.

@googledashboard
@smashdashboard
@smash_tv
@smash_mov
@smashmovs
@smashtvs
@FirefoxUpdate
{a512297e-4d3a-468c-bd1a-f77bd093f925}
{10b0f607-1efa-4762-82a0-e0d9bbae4e48}
{8dc21e24-3883-4d01-b486-ef1d1106fa3d}
{e517649a-ffd7-4b49-81e0-872431898712}
{3f3bcb3e-dd73-4410-b102-60a87fcb8323}
{944ed336-d750-48f1-b0b5-3c516bfb551c}
{c0b8009b-57dc-45bc-9239-74721640881d}
{8f8cc21a-2097-488f-a213-f5786a2ccbbf}
{e4c5d262-8ee4-47d3-b096-42b8b04f590d}
{75b7af0d-b4ed-4320-95c8-7ffd8dd2cb7c}
{65c1967c-6a5c-44dd-9637-0d4d8b4c339b}
{c39e7c0b-79d5-4137-bef0-57cdf85c920f}
{77fe9731-b683-4599-9b06-a5dcea63d432}
{57ea692b-f9fe-42df-bf5e-af6953fba05a}

Philipp, I have extended to block to those add-ons.
Jorge, can you please review and approve?
Flags: needinfo?(philipp) → needinfo?(jorge)
Done.
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jorge)
Resolution: --- → FIXED
See Also: → 1477950
You need to log in before you can comment on or make changes to this bug.