Wladimir: want to mail the author and ask him to fix this up, preferably very shortly? Andy Mitchell email@example.com If we don't hear back in a few days, we'll figure out what to do next.
Mail sent: Hi, I stumbled upon a security hole in your extension: it injects an object into web pages that gives read/write access to browser's preferences. For example, when BumbleSearch is installed any web site can do something like this to read out your homepage settings: document.BsOverlayGlobals.BsOptions.getOption("char", "browser.startup.homepage", false) Similarly the web site can also change browser settings, e.g. redirect the homepage to some spyware site. Could you fix this? regards Wladimir
Got a response: > Well done, you stumbled upon my dirty little secret :) > I actually discovered this about 2 days before I departed for Laos (I > just got back), while working on a new extension. > > I didn't want to announce it for two reasons, > 1) Not to panic people and cause a mass uninstall of Bumble Search > 2) Not to alert people who would take advantage of it > > Rest assured, I'm very very concerned about the hole, and it will be > completely addressed in the next release, due within 2 weeks. I asked to be notified when he is done.
a month has passed...
A whole lot more than a month has passed... The last mail I received (on 2006-11-29) went like this: > The current timeline is thus, > > 1) Finish new extension (by Friday) > 2) Use the reusable components in the new extension to build the next > version of Bumble Search (2 days) > 3) Release new version of Bumble Search with all passing of > higher-permission objects into the client DOM removed. Somehow the release of a new version was delayed. Can we move Bumble Search to the sandbox at least?
Yeah, I moved all the versions to the sandbox so that they're not installable. If you're in contact with the author and can tell them about this bug, we could cc: them here.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
I sent a mail asking the author to register in Bugzilla, IFAICT he doesn't have an account yet.
Btw, Mike, don't you think that people will go to author's homepage if they find a public add-on that doesn't have an installation box?
They might, but I'm not sure what else would be better. If they get a 404 they'll go looking for it too, and find it via google. I put a note on the description that will hopefully give people appropriate pause. Dan: you think we should blocklist this?
Hi, I'm the author of Bumble Search. Sincere apologies for my late response to this bug; I'm still active in extensions and wish to correct it. My intent is to, * Create a new (secure from the start) extension to replace Bumble Search, known as WebCards, and near completion. Existing users of Bumble Search will be encouraged to try WebCards to get their existing functionality. * Bumble Search's functionally will be restricted to just Google; and security set in place * The blog (which is embedded into the software), will be used to notify existing users of the security issue, and request they upgrade * It will be submitted to Mozilla to propogate the upgrade This will be completed by the end of March.
In addition, I will temporarily disable new downloads asap.
Component: Add-ons → Administration
QA Contact: add-ons → administration
Product: addons.mozilla.org → addons.mozilla.org Graveyard
I think that this should be public by now.
You need to log in before you can comment on or make changes to this bug.