393545 - Remote script loaded by Trailfire version 1.1.11748.63, and possibly others

Status: RESOLVED FIXED

(addons.mozilla.org Graveyard :: Administration, defect)

Description

[:Gijs (he/him)]

The overlay.xul for the Trailfire extension references a remote script.

This is a security problem, given now we can't review that code, MITM attacks have lots of new possibilities, and all the other niceties you get from privileged web scripts. As the original reporter wrote, this:

1: May slow browser startup (not sure how caching works in this case)
2: Abandons a significant security benefit of other extensions, namely the ability of knowledgeable persons to review the code for malicious behavior and security flaws. As is, the owner of the trailfire.com domain can change its behavior at any time or make its behavior ip-specific.
3: Since the script has chrome privileges, an attacker using DNS poisoning can run arbitrary code.
4: If the trailfire.com domain legitimately changes hands, the new owner inherits ability to run arbitrary code.

The relevant source code line is line 11 of overlay.xul


I'm not sure how easy it will be to audit all the other extensions for this kind of thing. Searching for src=["']http would probably help, I guess.

(Not marking this as security sensitive since it's not the actual AMO site that has trouble. If this assessment is wrong, please do correct me)

Comment 1

[Justin Scott [:fligtar]]

https://addons.mozilla.org/en-US/firefox/files/browse/16985

Trailfire author e-mailed on 11/5 and asked to fix or reply within 2 weeks.

Comment 2

[Fred Wenzel [:wenzel]]

Has this issue been fixed?

Comment 3

[Justin Scott [:fligtar]]

Since the authors did reply to the original notice and inquired about how to fix it, I gave them until Friday this week to update.

Comment 4

[Justin Scott [:fligtar]]

Authors have still not provided an update after 2 extensions of time - add-on has been sandboxed.