Addon Hiding Its Installation

RESOLVED WONTFIX

Status

addons.mozilla.org
Security
RESOLVED WONTFIX
7 years ago
7 years ago

People

(Reporter: Brian J.F. Herman, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 547847 [details]
exploit.js

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Steps to reproduce:

I found a section of code on the internet that hides an addon from the addons page.
From reddit:

"So I was messing around with a Firefox extension for fun, and while adding/removing the extension to test some stuff the thought came to me: "What if I were to use my extensions' unrestricted access to the DOM to 'hide' it from the about:addons page?".
Well, unfortunately it is possible. You would think there would be some sort of protection against this, right? I've only tested this in v5.0, but I'm sure it works in most (if not all) other versions.
But yeah. Any extension you make/download has the potential to make itself hidden from about:addons (which is what the average user uses to manage their addons) - and do sneaky stuff in the background. You can always check your extensions folder if you're feeling paranoid, though."


Actual results:

This section of code hides an addon from the addon page.


Expected results:

This should not be allowed.
Firefox "extensions" can do anything that Firefox can do. They are far more powerful--for good and ill--than the more sandboxed Chrome extensions. The kind of limitation you ask for is simply not technically possible. We are developing a new kind of add-on with a more limited API but it will be some time before most addons are built that way.

In the meantime this is specifically something we look for as part of our addon reviews before accepting them for our addons.mozilla.org site. There is no technical barrier preventing a developer from creating a malware add-on (or Android/iPhone app, for that matter)  and users need to get their add-ons from a reputable source like https://addons.mozilla.org and not random sites on the internet.
Group: core-security
Component: Security → Add-on Security
Product: Firefox → addons.mozilla.org
QA Contact: firefox → security
Version: 5 Branch → unspecified
Attachment #547847 - Attachment mime type: application/octet-stream → text/plain
Add-ons can do things that so much more harmful than hiding themselves. This would certainly be detected on AMO review, and most other add-ons can be blocklisted if they are found to be malicious.

wontfix?
For all the reasons above.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.