1549020 - Extension Block Request: SConnect

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, task)

Description

[c.vanbruggen]

Extension name	SConnect
Extension versions affected	<all versions>
Platforms affected	<all platforms>
Block severity	soft

Reason

I noticed that this application may violate the add-on policies, specifically the requirement that "Add-ons must be self-contained and not load remote code for execution".

To give some context, this application interfaces with a native binary on the host system. Using native messages it is able to communicate back and forth using JSON objects as a serialization method. One of the things that the binary can send to the extension is a 'SConnect-JS' type object to create a new javascript block within the page. In addition, the extension has permission to access all websites ("*"). I believe that this dynamic loading of javascript files from the host binary is a form of remote code execution within the context of all website or at least obfuscates the behaviour of the extension. (Due to some library issues and not having access to a smartcard that the binary interfaces with, I am unable to see this in action.)

The following code snippet shows the function where this is possible, the function is called when it receives a new message from the binary (via 'eventpage-ff.js' using the 'runtime​.connect​Native()' functionality).

function receiveFromEventPage(b) {
if (b.rtype == "SConnect-JS") {
var a = document.createElement("script");
a.type = "text/javascript";
a.appendChild(document.createTextNode(b.js));
document.body.appendChild(a);
document.body.removeChild(a)
} else {
if (b.rtype == "SConnect-CSS") {
var c = document.createElement("style");
c.type = "text/css";
c.appendChild(document.createTextNode(b.css));
document.head.appendChild(c)
} else { window.postMessage(b, "*") }
}
}

Given that the extension is quite small it looks to me that this functionality was explicitly implemented by the authors.

Extension IDs

jid1-HfFCNbAsKx6Aow@jetpack

Additional Information

A copy can be downloaded from hxxp://www.sconnect.com/extensions/ , I downloaded version 2.9.1.0 but suspect other versions to have the same issue.

Comment 1

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

I've confirmed this add-on injects remote scripts from a native messaging host.

Comment 2

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

The block has been staged. Andreas, can you review and push?

Comment 3

[Andreas Wagner [:TheOne] [use NI]]

Done

Comment 4

[Arnaud Willem]

Dear all,

are you properly out of your mind ?

This addon is used by many to authenticate bank transactions.

By blocking this, you are forcing a switch to other browsers to ensure PROPER OPERATIONAL CONTINUITY.

Wouldn't a vendor contact have been a better way of dealing with this issue ?

Comment 5

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

Hi Arnaud,

This add-on allows injecting arbitrary remote content into any web page, which is against our policies. Please note we cannot discuss further issues related to the add-on in this bug. If you are the owner of the add-on you are welcome to contact us using the email address associated with the account.

Comment 6

[Arnaud Willem]

(In reply to Philipp Kewisch [:Fallen] [:📆] from comment #5)

Hi Arnaud,

This add-on allows injecting arbitrary remote content into any web page, which is against our policies. Please note we cannot discuss further issues related to the add-on in this bug. If you are the owner of the add-on you are welcome to contact us using the email address associated with the account.

Philipp,

thanks for your fast and kind answer.

I'm not the product owner of this add-on and clearly realise that arbitrary code injection is problematic.

YET ... this add-on is the only way I can execute bank transactions.

I would kindly ask you to reconsider your position and allow a temporary user exception and/or to contact the product developers.

Until further notice I am dropping FF support company-wide because of this issue. I believe I won't be the only one going this path unfortunately.

Comment 7

[Bala]

This is stopping me from logging in. This is used by Gemalto.
Please do the needful. or else I guess I have to switch to some other browser

Comment 8

[Sharona]

(In reply to Philipp Kewisch [:Fallen] [:📆] from comment #5)

Hi Arnaud,

This add-on allows injecting arbitrary remote content into any web page, which is against our policies. Please note we cannot discuss further issues related to the add-on in this bug. If you are the owner of the add-on you are welcome to contact us using the email address associated with the account.

Hi Philipp,

I am the owner of SConnect extension (along with SConnect team).

I sent an email using our add-on account.

I cannot stress the urgency of this.
Not only that we were not notified via email (!!!) that our extension was blocked, but it happened just after the bug that blocked all the addons ! That's a very long downtime for out users.

The extension is owned by a company that manages security, the last thing we will do is inject malicious code.

Please reply to my email ASAP.
As for now we recommend all of our users to use a different browser.

Thanks,
Sharona, Gemalto.

Comment 9

[c.vanbruggen]

(In reply to Sharona from comment #8)

Not only that we were not notified via email (!!!) that our extension was blocked, but it happened just after the bug that blocked all the addons ! That's a very long downtime for out users.

As the bug reporter, I would like to note that I also looked for a security contact at the Gemalto website but was unable to find one. If you want people to report these kinds of things, you probably need to make this more prominent on the website. As it seemed a clear violation of the extensions policy, a policy you must be aware of, I reported the extension here. I don't know if Mozilla send you an email after it was blocked.

The extension is owned by a company that manages security, the last thing we will do is inject malicious code.

There is absolutely no way that anyone is able to verify this when you dynamically inject code. As far as my understanding of the host binary goes, even that does not appear to contain the injected javascript code (more likely is it contained in a compiled library downloaded from the internet).

As for now we recommend all of our users to use a different browser.

Obfuscating the behaviour of the extension is not just against Mozilla's policy, but also against the policy of other browsers. I would recommend your team to fix the issue by supplying (all) the code within the extension.

Comment 10

[Sharona]

Dear Add-ons admins,

I would like to continue the discussion to solve this ASAP.

Again, this is URGENT.

Please respond to our email.

Thanks,
Sharona.

Comment 11

[daitheflu]

Nice way to push users to another web browser.

@Sharona, also maybe update your FAQ ? (https://www.sconnect.com/faqs/)

Comment 12

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

We've reviewed the situation and are going to change the block to be partial covering 0 - 2.9.1.0, the extension author will be uploading a new version for distribution that does not inject scripts into the pages.

Comment 13

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

The block updates have been staged. Andreas, can you review and push?

Comment 14

[Andreas Wagner [:TheOne] [use NI]]

Done.