Closed Bug 614193 Opened 14 years ago Closed 14 years ago

Token is needed to prevent addons direct download

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: ervistusha, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 Build Identifier: <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <iframe src="https://addons.mozilla.org/firefox/downloads/latest/7684/addon-7684-latest.xpi?src=homepagebrowse" width="0%" height="0" frameborder="0"></iframe> Website content goes here </body> </html> Reproducible: Always Steps to Reproduce: Scenarios: 1. Attacker create and upload malware addons at addons.mozilla.org 2. Social engineering the victim to go to his site 3. Force victim to download the malware addons Note:A lot of big site are vulnerable with stored XSS
Summary: Token is needed to stop addons direct download → Token is needed to prevent addons direct download
The problem here is having malware on the site, which our reviewers and users should find and remove quickly. Tokens won't work in a situation like this as add-ons are pushed to the release mirrors anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
How is this any different than adding a link to a .xpi stored on any other server (such as the attacker's site)? The prompt blocking will be performed based on framing page, not on the fact that your frame contents come from AMO. If this worked for you in testing it's because you loaded your test page from a file:// URL which is an allowed source to ask users to install software. If you inject that frame in some other remote site the prompt will be blocked (with an "allow" infobar) as usual. To pull this off you need an XSS in AMO itself, in which case that's already all you need.
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.