If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Remote script loaded by Trailfire version 1.1.11748.63, and possibly others

RESOLVED FIXED

Status

addons.mozilla.org Graveyard
Administration
--
critical
RESOLVED FIXED
10 years ago
2 years ago

People

(Reporter: Gijs, Assigned: fligtar)

Tracking

Details

(Whiteboard: [sandboxed], URL)

(Reporter)

Description

10 years ago
The overlay.xul for the Trailfire extension references a remote script.

This is a security problem, given now we can't review that code, MITM attacks have lots of new possibilities, and all the other niceties you get from privileged web scripts. As the original reporter wrote, this:

1: May slow browser startup (not sure how caching works in this case)
2: Abandons a significant security benefit of other extensions, namely the ability of knowledgeable persons to review the code for malicious behavior and security flaws. As is, the owner of the trailfire.com domain can change its behavior at any time or make its behavior ip-specific.
3: Since the script has chrome privileges, an attacker using DNS poisoning can run arbitrary code.
4: If the trailfire.com domain legitimately changes hands, the new owner inherits ability to run arbitrary code.

The relevant source code line is line 11 of overlay.xul


I'm not sure how easy it will be to audit all the other extensions for this kind of thing. Searching for src=["']http would probably help, I guess.

(Not marking this as security sensitive since it's not the actual AMO site that has trouble. If this assessment is wrong, please do correct me)

Updated

10 years ago
(Assignee)

Comment 1

10 years ago
https://addons.mozilla.org/en-US/firefox/files/browse/16985

Trailfire author e-mailed on 11/5 and asked to fix or reply within 2 weeks.
Assignee: nobody → fligtar
Whiteboard: [notified 11/5]

Comment 2

10 years ago
Has this issue been fixed?
(Assignee)

Comment 3

10 years ago
Since the authors did reply to the original notice and inquired about how to fix it, I gave them until Friday this week to update.
Whiteboard: [notified 11/5] → [fix by 11/30]
(Assignee)

Comment 4

10 years ago
Authors have still not provided an update after 2 extensions of time - add-on has been sandboxed.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fix by 11/30] → [sandboxed]
Component: Add-ons → Administration
QA Contact: add-ons → administration
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.