Closed Bug 554856 Opened 11 years ago Closed 11 years ago

Persona setup allows for man-in-the-middle attack


(Firefox :: Security, defect)

3.6 Branch
Not set





(Reporter: general+mozilla, Unassigned)




(Whiteboard: [sg:dupe 545335])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/ Safari/532.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100316 Firefox/3.6.2

Per my blog entry:

Persona appears to rely on a set, arbitrary list of domains that are permissible to make changes based on specific code embedded on a theme site. This essentially means that there are pages that are capable of changing the look based on an action such as a MouseOver or OnClick.

However, just as the previously-mentioned exploit demonstrated that Persona made no authenticity of the data being fed and thus made a cross-site scripting (XSS) attack possible, it has now become apparent that there is a man-in-the-middle (MitM) attack that is doable. By simply redirecting the unencrypted, unverified traffic to an alternative server, one can simply perform the same functions that of the Persona website itself.

The lack of forced-SSL creates this problem as Firefox and Persona are unable to differentiate between the two servers. It is because of this that the 3.6 release is still subject to a serious security hole that remains to be patched. If one were to discover a method to have execute code instead, this could create a rather large security problem that would obviously be quite embarassing.

To add to this, the problem is worse in browsers 3.5 and lesser that have the addon as opposed to the integrated feature. In this case, there are multiple domains that the extension looks for and permits to changing the look and feel.

Reproducible: Always

Steps to Reproduce:
1. Redirect traffic from to elsewhere.
2. On "elsewhere", set it up to feed it a persona.
3. Watch as it does it without intervention!
Actual Results:  
Without complaint, it changes the persona without user intervention. This shouldn't happen outside of the website.

Expected Results:  
Something a tad more secure and sensible.

Leaving this un-patched could produce some rather disastrous results. This problem should be addressed immediately. Perhaps this feature should be removed until the Persona download site is treated like
Severity: critical → normal
Component: Security → Theme
QA Contact: firefox → theme
Version: unspecified → 3.6 Branch
Component: Theme → General
QA Contact: theme → general
Whiteboard: [sg:investigate]
Ever confirmed: true
Whiteboard: [sg:investigate] → [sg:low]
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 545335
Component: General → Security
QA Contact: general → firefox
Whiteboard: [sg:low] → [sg:dupe 545335]
You need to log in before you can comment on or make changes to this bug.