Anyone can update an addon.



13 years ago
3 years ago


(Reporter: cameron, Assigned: morgamic)





(1 attachment)



13 years ago
Steps to reproduce:
1) Register to become an AMO editor. AMO is looking for reviewers because there's not enough and the current system is cumbersome, so it's prettymuch guaranteed you'll be accepted.
2) Visit Supplement the id of whatever popular addon you want to spread your attack through.
3) Download the addon from the addon's listing page, copy some of the stuff (eg install.rdf so it recognises it as the same addon.) But edit the rest of the addon to do Evil Stuff (tm) (eg. crash browser, scrap profile, delete files, attempt to copy and send saved passwords to remote server, etc. etc.) Save it as the same filename with a bumped version number. Oh and bump the versions in install.rdf too. 
4) Under "Add New Version of addonname" click "browse" and select your own addon.
5) Click next, fill in details, click next again.
6) Go to the approval queue. I didn't test this, but you may be able to review this yourself. Says the authors are the people who authored the old one, but that it was requested by you. (Not sure how it detects if you're trying to review your own addon, if you are the author or if you are the person who requested it.) I promptly denied it so that my test version did not get out. However, if it didn't work with your own account, just create another account and apply to be an editor. You will be approved as per step 1.
7) AMO is whitelisted in Firefox, anyone who checks for updates to the addon will get your new updated Evil Addon. If you pick a popular addon in step 2, hundreds or maybe thousands of people will download your Evil Addon before it is noticed by the owner of the addon (most likely nobody else would notice it.)
8) Commence world domination.

Expected results: Editors shouldn't be allowed to edit other people's addons.

Proof of concept: I did this up to step 5. I denied it at step 6. You can see the details of it in the approval log.

 	16  	14633  	473  	Approval-  	2006-04-05 10:55:06  	NO  	NO  	NO  	NO  	NO  	NO  	NO  	NO  	-  	-  	Denying. This is serious.

Comment 1

13 years ago
Created attachment 217352 [details] [diff] [review]
Skip owner check only if the user is an admin.

This patch was committed.

Comment 2

13 years ago
This should be live -- please verify.
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 3

13 years ago
Good work morgamic :D
thanks for the quick work (and thanks for finding it, Cameron)


12 years ago
Group: update-security
Target Milestone: 2.1 → ---
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.