Closed
Bug 705715
Opened 13 years ago
Closed 13 years ago
The Addon Builder Helper extension trusts http://flightdeck.zalewa.info/
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: albinowax, Assigned: zalun)
Details
(Whiteboard: [sg:critical])
The addon builder helper enables users to test-install addons from builder.addons.mozilla.org without any confirmation. The code at https://addons.mozilla.org/en-US/firefox/files/browse/137624/file/resources/jid0-t3eerqgganlch9c50lpqctdunng-at-jetpack-addons-builder-helper-data/addon-config.json gives me the impression that it also trusts http://flightdeck.zalewa.info, a site currently on shared hosting that may not be as secure as addons.mozilla.org Since it's http:// rather than https:// this could also be abused as part of a MITM attack. I was unsuccessful in confirming that flightdeck.zalwea.info is trusted by way of a MITM attack on myself, but I think it's likely enough to warrant reporting.
|
||
Updated•13 years ago
|
Assignee: nobody → zaloon
|
Assignee | |
Comment 1•13 years ago
|
||
https://github.com/zalun/addon-builder-helper/commit/f1b61f3fce106b774f41972ff3bfe8f51181e45f It's in pull request now
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 3•13 years ago
|
||
piotr: is James right? My reading of the code matches his, that a MITM attack on any user of ABH could serve up a fake page appearing to come from the right domain and then create and install any boostrap addon they wanted. If so we need to file a bug to blocklist the old version. Active users of the builder.AMO site could be bludgeoned into taking an upgrade but that won't help people who tried the builder a long time ago and still have the helper. Updates of a restartless addon should have a pretty good uptake so I suppose we could wait a couple of days and see if we have many users with the old version to worry about.
Whiteboard: [sg:critical]
|
||
Comment 4•13 years ago
|
||
This was in the trusted domain list very early on before public release and was passed along to prod on accident. I will remove it and push out a new copy of the add-on this week. I would expect uptake to be very rapid for those who already have the ABH installed.
|
|
||
Comment 5•13 years ago
|
||
Did the new version get shipped? Is the bug still open by mistake or is there more to do?
|
|
Assignee | |
Comment 6•13 years ago
|
||
The code is fixed however the new version of ABH (1.3) is not yet in AMO. Closed pull request is here: https://github.com/mozilla/addon-builder-helper/pull/2
|
||
Comment 7•13 years ago
|
||
Do we have a code control to prevent trust of http domains? Although trusting a third party domain is dangerous, this configuration would still be bad with HTTP to one of our trusted domains (because of MITM potential for HTTP sites)
|
|
||
Comment 9•13 years ago
|
||
This fix has been pushed live some time ago jar:http://releases.mozilla.org/pub/mozilla.org/addons/182410/add_on_builder_helper-1.3-fx.xpi!/resources/jid0-t3eerqgganlch9c50lpqctdunng-at-jetpack-addons-builder-helper-data/addon-config.json
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 10•12 years ago
|
||
ABH 1.4 is live now. I'm going to mark this as verified.
Status: RESOLVED → VERIFIED
|
||
Updated•11 years ago
|
Flags: sec-bounty+
|
||
Updated•4 years ago
|
Group: client-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•