554856 - Persona setup allows for man-in-the-middle attack

Status: RESOLVED DUPLICATE of bug 545335

(Firefox :: Security, defect)

Description

[C Keigher]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

Per my blog entry:

Persona appears to rely on a set, arbitrary list of domains that are permissible to make changes based on specific code embedded on a theme site. This essentially means that there are pages that are capable of changing the look based on an action such as a MouseOver or OnClick.

However, just as the previously-mentioned exploit demonstrated that Persona made no authenticity of the data being fed and thus made a cross-site scripting (XSS) attack possible, it has now become apparent that there is a man-in-the-middle (MitM) attack that is doable. By simply redirecting the unencrypted, unverified traffic to an alternative server, one can simply perform the same functions that of the Persona website itself.

The lack of forced-SSL creates this problem as Firefox and Persona are unable to differentiate between the two servers. It is because of this that the 3.6 release is still subject to a serious security hole that remains to be patched. If one were to discover a method to have execute code instead, this could create a rather large security problem that would obviously be quite embarassing.

To add to this, the problem is worse in browsers 3.5 and lesser that have the addon as opposed to the integrated feature. In this case, there are multiple domains that the extension looks for and permits to changing the look and feel.

Reproducible: Always

Steps to Reproduce:
1. Redirect traffic from getpersonas.com to elsewhere.
2. On "elsewhere", set it up to feed it a persona.
3. Watch as it does it without intervention!
Actual Results:  
Without complaint, it changes the persona without user intervention. This shouldn't happen outside of the getpersona.com website.

Expected Results:  
Something a tad more secure and sensible.

Leaving this un-patched could produce some rather disastrous results. This problem should be addressed immediately. Perhaps this feature should be removed until the Persona download site is treated like addons.mozilla.org.