Bumble Search gives web sites read/write access to preferences

RESOLVED FIXED

Status

RESOLVED FIXED
12 years ago
3 years ago

People

(Reporter: gaubugzilla, Unassigned)

Tracking

Details

(Whiteboard: needs-blocklist, URL)

(Reporter)

Description

12 years ago
Bumble Search injects an object called BsOverlayGlobals into all web pages. This object has a property BsOptions which implements the methods getOption() and setOption() - direct access to browser's preferences. To test install BumbleSearch and enter this into the address bar on any web page:

javascript:alert(document.BsOverlayGlobals.BsOptions.getOption("char", "browser.startup.homepage", false))

It should display the value of your homepage setting.
Wladimir: want to mail the author and ask him to fix this up, preferably very shortly?

Andy Mitchell a.r.mitchell@gmail.com

If we don't hear back in a few days, we'll figure out what to do next.
(Reporter)

Comment 2

12 years ago
Mail sent:

Hi,

I stumbled upon a security hole in your extension: it injects an object into web pages that gives read/write access to browser's preferences. For example, when BumbleSearch is installed any web site can do something like this to read out your homepage settings:

document.BsOverlayGlobals.BsOptions.getOption("char", "browser.startup.homepage", false)

Similarly the web site can also change browser settings, e.g. redirect the homepage to some spyware site. Could you fix this?

regards
Wladimir
(Reporter)

Comment 3

12 years ago
Got a response:

> Well done, you stumbled upon my dirty little secret :)
> I actually discovered this about 2 days before I departed for Laos (I 
> just got back), while working on a new extension.
> 
> I didn't want to announce it for two reasons,
> 1) Not to panic people and cause a mass uninstall of Bumble Search
> 2) Not to alert people who would take advantage of it
> 
> Rest assured, I'm very very concerned about the hole, and it will be 
> completely addressed in the next release, due within 2 weeks.

I asked to be notified when he is done.

Comment 4

12 years ago
a month has passed...
(Reporter)

Comment 5

12 years ago
A whole lot more than a month has passed... The last mail I received (on 2006-11-29) went like this:

> The current timeline is thus,
> 
> 1) Finish new extension (by Friday)
> 2) Use the reusable components in the new extension to build the next 
> version of Bumble Search (2 days)
> 3) Release new version of Bumble Search with all passing of 
> higher-permission objects into the client DOM removed.

Somehow the release of a new version was delayed. Can we move Bumble Search to the sandbox at least?
Yeah, I moved all the versions to the sandbox so that they're not installable.  If you're in contact with the author and can tell them about this bug, we could cc: them here.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Whiteboard: needs-blocklist
(Reporter)

Comment 7

12 years ago
I sent a mail asking the author to register in Bugzilla, IFAICT he doesn't have an account yet.
(Reporter)

Comment 8

12 years ago
Btw, Mike, don't you think that people will go to author's homepage if they find a public add-on that doesn't have an installation box?
They might, but I'm not sure what else would be better.  If they get a 404 they'll go looking for it too, and find it via google.

I put a note on the description that will hopefully give people appropriate pause.  Dan: you think we should blocklist this?

Comment 10

12 years ago
Hi,

I'm the author of Bumble Search.

Sincere apologies for my late response to this bug; I'm still active in extensions and wish to correct it.

My intent is to,
* Create a new (secure from the start) extension to replace Bumble Search, known as WebCards, and near completion.
Existing users of Bumble Search will be encouraged to try WebCards to get their existing functionality.
* Bumble Search's functionally will be restricted to just Google; and security set in place
* The blog (which is embedded into the software), will be used to notify existing users of the security issue, and request they upgrade
* It will be submitted to Mozilla to propogate the upgrade

This will be completed by the end of March.

Comment 11

12 years ago
In addition, I will temporarily disable new downloads asap.
Component: Add-ons → Administration
QA Contact: add-ons → administration
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
(Reporter)

Comment 12

3 years ago
I think that this should be public by now.
Flags: needinfo?(jorge)
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.