Manifest URL is exposed before purchasing paid apps

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
7 years ago
3 years ago

People

(Reporter: cvan, Assigned: cvan)

Tracking

unspecified
6.4.8

Details

(URL)

(Assignee)

Description

7 years ago
Steps to reproduce:
1) Find an install button for a paid app.
2) Inspect the HTML for that button.
3) Steal the manifestUrl.
4) Share it with your friends.

<a class="button premium" data-cost="0.99" data-product="{&quot;manifestUrl&quot;: &quot;http://krupa.dekkostudios.com/app.webapp&quot;, &quot;name&quot;: &quot;SeaVan's Undersea Adventure&quot;, &quot;purchase&quot;: &quot;/en-US/app/seavans-undersea-adventure/purchase/&quot;, &quot;price&quot;: 0.99, &quot;isPurchased&quot;: false, &quot;id&quot;: 364689}" data-purchase="/en-US/app/seavans-undersea-adventure/purchase/?" href="#">
        $0.99
</a>

Comment 1

7 years ago
There's nothing we can do to stop manifests being shared they are by definition open and public (not sure what data-product is doing, that serialised json?). 

In apps-preview we only showed the manifest when the app was purchased.

In bug 701452 kumar felt that this should be shown in HTML all the time, maybe as the href.

The only way to secure an app is to use the receipt validation. Share the manifest URL all you want, the receipt validation should still fail.
(Assignee)

Comment 2

7 years ago
This is OK, assuming our receipt verification service works (bug 739344) and is exposed to those sellers looking to keep their ish secret.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.