Closed Bug 1549888 Opened 5 years ago Closed 5 years ago

Add-ons can bypass Mozilla add-on review process by modifying XPI after install (Flash Video Downloader)

Categories

(Toolkit :: Blocklist Policy Requests, task)

task
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 1549444

People

(Reporter: yoasif, Unassigned)

Details

Attachments

(1 file)

From https://github.com/mozilla/addons/issues/1026

STR:

As seen on GitHub issue.

OR

install the artur.dubovoy@gmail.com.xpi attached to this bug.

What happens:

Firefox allows me to install this add-on, even though it was never reviewed by Mozilla.

Expected result:

It should not be possible for an unreviewed add-on to be installed if xpinstall.signatures.required is true, even if it is replaced on disk.

I was able to install this in Firefox stable 66.0.3 (mentioned because the original report mentions nightly).

There are multiple ways to temporarily install an unapproved add-on by modifying the profile. This is unfortunately a job for anti-malware software, since there's only so much we can do about external malware running on the system.

However, we do periodically check all installed add-ons for a valid signature, and if they fail the signature check we disable them.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

That said, we should still probably blocklist this add-on.

Status: RESOLVED → REOPENED
Component: General → Blocklist Policy Requests
Product: WebExtensions → Toolkit
Resolution: WONTFIX → ---

Kris, I didn't modify the profile in this case - I could have easily hosted this XPI on a non-Mozilla domain and asked users to download it to Firefox.

Firefox would not complain (it is significant that I mentioned that this was installed in a stable Firefox).

This isn't a question of whether malware that runs locally on the machine can modify a users' profile folder - I don't quite understand how FVD is able to create an add-on that Firefox will happily install without touching a profile at all.

Flags: needinfo?(kmaglione+bmo)

The steps to reproduce in https://github.com/mozilla/addons/issues/1026 describe installing an external helper module. Presumably that is what replaces the XPI in the profile, since add-ons cannot modify files in the profile themselves.

Flags: needinfo?(kmaglione+bmo)

I don't need to modify my profile. I can install it from right here in bugzilla.

Is it expected that an add-on developer can self-host an add-on that was never signed by Mozilla? Or are you saying that the add-on was signed for distribution outside of AMO and then the developer placed it into Firefox via an external helper?

I am operating under the assumption that the add-on was never signed by Mozilla, and that the developer somehow signed it themselves. The distribution method is not what I am concerned about here - just the signing.

This is the concern I am responding to from the original report:

FVD has circumvented the Mozilla Addon review process, and is modifying/replacing its own .xpi file with versions not reviewed by Mozilla, which adds CSP rules and scripts from malware domain mdn2015x4.com.

Flags: needinfo?(kmaglione+bmo)

The versions of this add-on that violate Mozilla's add-on policies have been blocked already. Therefore, (and because of comment 1) I am closing this bug.

Status: REOPENED → RESOLVED
Type: defect → task
Closed: 5 years ago5 years ago
Resolution: --- → DUPLICATE

Im surprised that this has not come up before. This add-on has been like this for multiple years.

No, violating functionality was added earlier this year. I you have more information about offensive functionality in a currently public version, please file a new bug.

Flags: needinfo?(awagner)

Can you please list steps that the developer can take ASAP so that this excellent Add-on be restored?

I have found your suggested alternative - Video DownloadHelper - is inferior, as I have also used it for years alongside Flash Video Downloader.

Please do not hide this comment, as someone has been doing to anyone who raises legitimate questions to this thread, and the Github thread.

Flags: needinfo?(awagner)

There are three things that the un-reviewed extension did:

Added a CSP Content Security Policy for all pages for mdn2015x4.com, which appears to be a malware domain:
"content_security_policy": "script-src 'self' *.mdn2015x4.com; object-src 'self'",

Injects 2 new scripts which run for all pages (and which are new .js files not found in the version reviewed by Mozilla) including:

	/js/hooks/full-page.js
	/js/contentScripts/contentAll.js

Adds a script from malware domain mdn2015x4.com to popup.html

Not doing those things and not bypassing the Mozilla review process would likely be a bare minimum, but I am not a Mozilla employee.

I would suggest reaching out to the add-on developer so that they can contact Mozilla directly to resolve these issues and for next steps (if any).

Complaining to Mozilla when the add-on was removed for breaking the rules, and for adding scripts from malware domains doesn't seem productive when the developer doesn't seem interested in resolving the issue.

Flags: needinfo?(awagner)

This bug is not suited for discussions, its action has been resolved. If you have further comments, please use our discussion forums: http://discourse.mozilla.org/c/add-ons

Restrict Comments: true
Flags: needinfo?(kmaglione+bmo)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: