Remote script loaded by Trailfire version 1.1.11748.63, and possibly others



12 years ago
3 years ago


(Reporter: Gijs, Assigned: fligtar)



(Whiteboard: [sandboxed], URL)



12 years ago
The overlay.xul for the Trailfire extension references a remote script.

This is a security problem, given now we can't review that code, MITM attacks have lots of new possibilities, and all the other niceties you get from privileged web scripts. As the original reporter wrote, this:

1: May slow browser startup (not sure how caching works in this case)
2: Abandons a significant security benefit of other extensions, namely the ability of knowledgeable persons to review the code for malicious behavior and security flaws. As is, the owner of the domain can change its behavior at any time or make its behavior ip-specific.
3: Since the script has chrome privileges, an attacker using DNS poisoning can run arbitrary code.
4: If the domain legitimately changes hands, the new owner inherits ability to run arbitrary code.

The relevant source code line is line 11 of overlay.xul

I'm not sure how easy it will be to audit all the other extensions for this kind of thing. Searching for src=["']http would probably help, I guess.

(Not marking this as security sensitive since it's not the actual AMO site that has trouble. If this assessment is wrong, please do correct me)

Comment 1

11 years ago

Trailfire author e-mailed on 11/5 and asked to fix or reply within 2 weeks.
Assignee: nobody → fligtar
Whiteboard: [notified 11/5]
Has this issue been fixed?

Comment 3

11 years ago
Since the authors did reply to the original notice and inquired about how to fix it, I gave them until Friday this week to update.
Whiteboard: [notified 11/5] → [fix by 11/30]

Comment 4

11 years ago
Authors have still not provided an update after 2 extensions of time - add-on has been sandboxed.
Last Resolved: 11 years ago
Resolution: --- → FIXED
Whiteboard: [fix by 11/30] → [sandboxed]
Component: Add-ons → Administration
QA Contact: add-ons → administration
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.