Closed Bug 406025 Opened 17 years ago Closed 11 years ago

Evaluate security of updateInfo

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mossop, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [sg:low] spoof for some non-AMO addons) 

The current implementation of updateinfo allows the notes to be retrieved over an insecure connection. While there should be no possibility of any kind of actual compromise it could be possible to display misleading information to a user during an update.

Probably doesn't need to be security restricted but filing as such for now.
Whiteboard: [sg:investigate]
Probably the only sensible way to secure the information here is to either require it to come from a https source or to include a hash of the data in the update.rdf, essentially the same options we give for the xpi itself.

The requiring https is relatively trivial, checking a hash is a little more complex so which route to take depends on how serious we think this is as a risk.
Product: Firefox → Toolkit
Do the sg want to weigh in here?
Whiteboard: [sg:investigate] → [sg:audit]
Sounds like we know what the problem is here, [sg:audit] is probably not right. AMO-hosted addons will have updateInfoURL pointing at AMO over https -- no worries there.

updateInfo isn't visible generally: Dave says only when the user has selected Manual Updates for addons will it show up in the addon manager. For non-AMO-hosted addons who don't have a secure hosting site this info could be intercepted and lie to the user.

IMPORTANT MITIGATION: the addon update itself will still be secure, not sure what ends could be reached by misleading a user through this text.

The only reasonable "fix" would be to drop updateInfoURL if it's not an https: URL. Update would still proceed, and the update info is optional anyway. Otherwise we can assume the attack value here--especially with the majority of addons either hosted securely on AMO or updated via their host program--is very small and just wontfix this.
Group: core-security
Whiteboard: [sg:audit] → [sg:low] spoof for some non-AMO addons
This is pretty edgecasey -- doesn't apply to AMO addons, and if the user is already on the path to installing or (manually?) updating, then misleading info from a malicious addon seems like the least of their worries.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.