Source spoofing in XPI extension installation.
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
People
(Reporter: febou92, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
5.70 MB,
video/mp4
|
Details |
Hello
The firefox browser uses the "Origin" instead of the domain hosting the "XPI" in the prompt to download an add-on.
It the attached example you will see how it might be possible to use this to make a user believe the extension comes from somewhere else, such as an email provider or a forum.
Installing a malicious extension can leak users private information and establish persistance on a computer.
It should be noted that my example uses an addon already hosted on mozilla's website as this was quicker than programming my own, but I have tested with addon's hosted on third party website and it works just the same.
Regards,
Felix
Updated•14 days ago
|
Comment 1•13 days ago
|
||
This is an intentional decision. Just because the target add-on is downloaded from addons.mozilla.org doesn't mean it's a "good" one. If it's new maybe the badness hasn't been discovered yet. It could also be an old known-vulnerable version of that addon. If people saw "addons.mozilla.org" they might trust it too much. It's "mail.google.com" that's trying to get you to install this addon.
Maybe we want to improve our UI here, but it's not a security issue.
Oh okay, I do understand the decision, that is pretty nice for red team engagements.
Outlook.com or google.mail.com trying to download a browser extension have massive potential, the browser is the new OS.
Do you mind if I document the feature on hacktricks?
Regards,
Felix
Updated•23 hours ago
|
Description
•