Closed Bug 332277 Opened 14 years ago Closed 14 years ago

"Allow site to install extensions" -- poor design, potential vulnerable to trick, modified approach suggested

Categories

(Firefox :: Security, defect, major)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 252830

People

(Reporter: contactbox, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

The current option means that to install an extension, you have to mark *all* pages of that entire site as "allowing software to be installed". That's very dangerous. Imagine I'm downloading an extension, to do it I have to give the entire domain (including other sites on that domain) authority to install software extensions. Yes FF will ask me and I should notice, but the point is that's very bad practice.

Plus you can guarantee that some individuals will code extensions for adware spyware and other malicious purposes, much as ActiveX is sometimes used, with all kinds of "this site needs to download a small extension to firefox to make it work" messages. 

A global install permission list needs to be directory not just domain granular, since many extensions are hosted on (eg, personal) sites whose domains are yahoo, geocities, %MY_ISP%, etc etc. Finally (in passing) it's poor user interface to click on an XPI link, be asked yes or no, then have to click the link *again* to retry.

Reproducible: Always

Steps to Reproduce:
n/a -- inherent in present design of this function.
Actual Results:  
User pre-approves all installations from all sites hosted on the specified domain, both now and future. 

In practice this means that if I place a spy/ad/phish extension on a free site *anywhere* on the same domain as a popular extension site, with a phished link, and tell people they need to click "install" to see any function I name, I am likely to benefit from bypassing a security measure designed to protect many users who have directed FF that this domain is "always allowed" to install software, even if they have only once, long ago, installed an extension from some other page on that domain. 

This is semi-equivalent to the ad/spyware ActiveX issue in IE, in that a extension of unknown purpose can be added based on misdescription and its creator can plan to create a bypass of the standard alert for many users with careful choice of their website.

Expected Results:  
A better alert would give an explanation, and would remember on a *package by package* basis the allow/deny options. It would also by default require confirmation every time an extension was installed, which is a minor inconvenience for a few people and a major security gain for many. 

Here's how I'd do it: -

"This site is trying to install a software extension for firefox. If you do not wish to add this function to Firefox, or are not expecting this request, you should deny it. You can also disable or remove extensions at any time using the extension manager." 

Options: "install // deny once // deny always." And a button "Always trust extensions from <http://webfolder.com/sample_directory>"

A tab in options // security (not "options//content"!!) would then allow users to edit the list of sites or directories, for which the warning would be skipped, allowing the yellow alert for folders such as <http://releases.mozilla.org/pub/mozilla.org/extensions> to be globally skipped if a user wishes.

Although not a vulnerability as such, and really more a "safe browsing" issue, I've logged it under "security/confidential" in order not to encourage misuse prior to consideration, since it is a wide open weakness in the "allow site to install extension" design. Please reallocate elsehow if appropriate.
> Imagine I'm downloading an extension, to do it I have to give the
> entire domain (including other sites on that domain) authority to install
> software extensions.

You are giving the site permission to *ask* you to install software which is a crucial distinction (Mozilla Suite has no blocking at all, but is still safe) -- but point taken.

> In practice this means that if I place a spy/ad/phish extension on a free
> site *anywhere* on the same domain as a popular extension site, with a
> phished link, and tell people they need to click "install" to see any
> function I name, I am likely to benefit from bypassing a security measure

In practice these folks just tell the user to hit the "allow once" button and users of the same sort who would hit the "Install" button anyway in your scenario are just as likely to do it.

> It would also by default require
> confirmation every time an extension was installed, which is a minor
> inconvenience for a few people and a major security gain for many. 

It does. The site whitelisting is an anti-popup feature. The real security check is the Install confirmation dialog that the user will always get and have to click "Install" on.

*** This bug has been marked as a duplicate of 252830 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.