Closed
Bug 332861
Opened 19 years ago
Closed 19 years ago
Anyone can update an addon.
Categories
(addons.mozilla.org Graveyard :: Developer Pages, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: cameron, Assigned: morgamic)
References
()
Details
Attachments
(1 file)
1.22 KB,
patch
|
Details | Diff | Splinter Review |
Steps to reproduce:
1) Register to become an AMO editor. AMO is looking for reviewers because there's not enough and the current system is cumbersome, so it's prettymuch guaranteed you'll be accepted.
2) Visit https://addons.mozilla.org/developers/itemoverview.php?id=16. Supplement the id of whatever popular addon you want to spread your attack through.
3) Download the addon from the addon's listing page, copy some of the stuff (eg install.rdf so it recognises it as the same addon.) But edit the rest of the addon to do Evil Stuff (tm) (eg. crash browser, scrap profile, delete files, attempt to copy and send saved passwords to remote server, etc. etc.) Save it as the same filename with a bumped version number. Oh and bump the versions in install.rdf too.
4) Under "Add New Version of addonname" click "browse" and select your own addon.
5) Click next, fill in details, click next again.
6) Go to the approval queue. I didn't test this, but you may be able to review this yourself. Says the authors are the people who authored the old one, but that it was requested by you. (Not sure how it detects if you're trying to review your own addon, if you are the author or if you are the person who requested it.) I promptly denied it so that my test version did not get out. However, if it didn't work with your own account, just create another account and apply to be an editor. You will be approved as per step 1.
7) AMO is whitelisted in Firefox, anyone who checks for updates to the addon will get your new updated Evil Addon. If you pick a popular addon in step 2, hundreds or maybe thousands of people will download your Evil Addon before it is noticed by the owner of the addon (most likely nobody else would notice it.)
8) Commence world domination.
Expected results: Editors shouldn't be allowed to edit other people's addons.
Proof of concept: I did this up to step 5. I denied it at step 6. You can see the details of it in the approval log.
16 14633 473 Approval- 2006-04-05 10:55:06 NO NO NO NO NO NO NO NO - - Denying. This is serious.
Assignee | ||
Comment 1•19 years ago
|
||
This patch was committed.
Assignee | ||
Comment 2•19 years ago
|
||
This should be live -- please verify.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified.
Good work morgamic :D
Status: RESOLVED → VERIFIED
Comment 4•19 years ago
|
||
thanks for the quick work (and thanks for finding it, Cameron)
Assignee | ||
Updated•19 years ago
|
Group: update-security
Updated•18 years ago
|
Target Milestone: 2.1 → ---
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•