Closed
Bug 406025
Opened 17 years ago
Closed 11 years ago
Evaluate security of updateInfo
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: mossop, Unassigned)
Details
(Keywords: sec-low, Whiteboard: [sg:low] spoof for some non-AMO addons)
The current implementation of updateinfo allows the notes to be retrieved over an insecure connection. While there should be no possibility of any kind of actual compromise it could be possible to display misleading information to a user during an update. Probably doesn't need to be security restricted but filing as such for now.
Updated•17 years ago
|
Whiteboard: [sg:investigate]
Reporter | ||
Comment 1•17 years ago
|
||
Probably the only sensible way to secure the information here is to either require it to come from a https source or to include a hash of the data in the update.rdf, essentially the same options we give for the xpi itself. The requiring https is relatively trivial, checking a hash is a little more complex so which route to take depends on how serious we think this is as a risk.
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
Reporter | ||
Comment 2•15 years ago
|
||
Do the sg want to weigh in here?
Updated•14 years ago
|
Whiteboard: [sg:investigate] → [sg:audit]
Comment 3•12 years ago
|
||
Sounds like we know what the problem is here, [sg:audit] is probably not right. AMO-hosted addons will have updateInfoURL pointing at AMO over https -- no worries there. updateInfo isn't visible generally: Dave says only when the user has selected Manual Updates for addons will it show up in the addon manager. For non-AMO-hosted addons who don't have a secure hosting site this info could be intercepted and lie to the user. IMPORTANT MITIGATION: the addon update itself will still be secure, not sure what ends could be reached by misleading a user through this text. The only reasonable "fix" would be to drop updateInfoURL if it's not an https: URL. Update would still proceed, and the update info is optional anyway. Otherwise we can assume the attack value here--especially with the majority of addons either hosted securely on AMO or updated via their host program--is very small and just wontfix this.
Group: core-security
Whiteboard: [sg:audit] → [sg:low] spoof for some non-AMO addons
Comment 4•11 years ago
|
||
This is pretty edgecasey -- doesn't apply to AMO addons, and if the user is already on the path to installing or (manually?) updating, then misleading info from a malicious addon seems like the least of their worries.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•