Vulnerability in Add-On Updates?




11 years ago
10 years ago


(Reporter: tom, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:needinfo])



11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

A day after installing 3.0, I was sitting at my machine, just reading a static news page when a window popped-up, saying there was an update to Foxmarks. After acknowledging that, another dialog came-up indicating that Firefox was installing all kinds of junk - Weatherbug, etc., etc.... There were six dubious extensions on the list (I didn't make note of them all in my haste to stop the process).

Reproducible: Always

Steps to Reproduce:
Actual Results:  
Wish I could.

Install only the Foxmarks update.

Comment 1

11 years ago
I looked at Foxmarks from and didn't see anything suspicious. Where did you get Foxmarks and what version where you updated to? Did you see a real popup window (like other popups) or the extension notification window?

Comment 2

11 years ago
(In reply to comment #1)
I originally installed Foxmarks from their website (which, apparently, is a link to the actual download @ Mozilla). 

The first was a regular "pop-up" (something to the effect, "There is a newer version of Foxmarks, would you like to download it?" When I clicked "Yes," (or, "OK?"), I got the actual extension notification window, indicating the several rogue add-ons being installed with it. 

The Foxmarks version I was upgraded to is



11 years ago
Product: Firefox → Toolkit
It's unclear what came up after the initial acknowledgement of the new Foxmarks version. Were the various packages actively installing without interaction, or was it the standard install dialog with multiple items in it?

The former could be quite serious, the latter would be annoying but the confirmation dialog was doing its job. The FoxMarks site shouldn't be shoving down extra packages, but since it's chrome it certainly has the ability to be as anti-social as it likes. That would be a completely different kind of problem that would need to be resolved through human interaction, not code fixes.

Looking at the current Foxmarks code it does do a little of it's own updating. If it detects a new version on its own it prompts and then calls 
     gExtensionManager.update([updateitem], 1, false, listener);
where updateitem is foxmarks itself. It looks like it's attempting to simply have the extension manager dialog check for updates, which would then prompt you to install.

Did you already have all those other extensions, even if disabled? Open the addons dialog from the Tools menu and see. Maybe there's nothing more than it causing your existing addons to make a check for updates, and not installing anything.
Whiteboard: [sg:needinfo]
Group: core-security
Last Resolved: 10 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.