Off-Site Add-ons should require review before being posted.

RESOLVED WONTFIX

Status

addons.mozilla.org
Security
--
major
RESOLVED WONTFIX
8 years ago
8 years ago

People

(Reporter: patrickjdempsey, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: 

There are at least a dozen add-ons in the top of the Newest Add-ons search page that have absolutely no information in them but which lead to off-site websites.  (I have not personally followed any of those links).  You can see several in the top of the list containing the description "keylog" which should probably be removed immediately:

https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:all?sort=newest

I myself was able to create a fake AMO page with a link in under 2 minutes.  It is so easy to do it could easily be reproduced by an autonomous program or bot.  My test is safe and leads to the BBC page:

https://addons.mozilla.org/en-US/firefox/addon/146377/


Reproducible: Always

Steps to Reproduce:
1. In the Developer Hub click on Submit a New Add-on.
2. Click Self-host my add-on.
3. Choose any license, click Agree and Continue.
4. Name and description can be as little a Spacebar space!, GUID can be any fake email address, URL can be any site you wish.
5. Click Create Listed Add-on.
6. Fake AMO page is now automatically Active and hosted.
Actual Results:  
Unlike when an Add-on is hosted on AMO, an off-site Add-on is accepted and made Active immediately.  On-site add-ons are not automatically Active, but require a few minimum steps before being listed on AMO and the author must manually select "Make Active".  

Expected Results:  
At the minimum, off-site authors should be required to visit the Change Status page to manually make the page Active.  An automated attack-site scan of the linked website would probably be nice. Ideally, off-site pages would be not be visible at all until reviewed by a human reviewer with experience in attack sites.
Self-hosted add-ons are a pilot program and may not stay around. But right now, we realize that they aren't reviewed and provide lots of warning that that's the case.

None of the keylog add-ons you mention have a homepage set, so clicking to go there just takes you to the AMO page you're already on.

We're considering ways to improve the self-hosted program in the future, but right now we're okay with the current warnings.
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.