Open Bug 1927777 Opened 14 days ago Updated 23 hours ago

Source spoofing in XPI extension installation.

Categories

(Toolkit :: Add-ons Manager, defect)

defect

Tracking

()

People

(Reporter: febou92, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(1 file)

Hello
The firefox browser uses the "Origin" instead of the domain hosting the "XPI" in the prompt to download an add-on.
It the attached example you will see how it might be possible to use this to make a user believe the extension comes from somewhere else, such as an email provider or a forum.
Installing a malicious extension can leak users private information and establish persistance on a computer.
It should be noted that my example uses an addon already hosted on mozilla's website as this was quicker than programming my own, but I have tested with addon's hosted on third party website and it works just the same.

Regards,

Felix

Flags: sec-bounty?
Component: Security → Add-ons Manager
Product: Firefox → Toolkit

This is an intentional decision. Just because the target add-on is downloaded from addons.mozilla.org doesn't mean it's a "good" one. If it's new maybe the badness hasn't been discovered yet. It could also be an old known-vulnerable version of that addon. If people saw "addons.mozilla.org" they might trust it too much. It's "mail.google.com" that's trying to get you to install this addon.

Maybe we want to improve our UI here, but it's not a security issue.

Group: firefox-core-security

Oh okay, I do understand the decision, that is pretty nice for red team engagements.
Outlook.com or google.mail.com trying to download a browser extension have massive potential, the browser is the new OS.
Do you mind if I document the feature on hacktricks?

Regards,

Felix

Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: