Silent addon installation without user prompting

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
6 years ago
2 years ago

People

(Reporter: spylogsster, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It is possible to install any addon without user prompting, we need copy new xpi to staged directory in extensions dir and Firefox will install it automatically

Comment 1

6 years ago
Could you be more specific how/where/when exactly you are performing this copy?
Group: core-security
Component: Plug-ins → Add-ons Manager
Product: Core → Toolkit
Yes, this is a known way to get around the third-party install mechanisms currently in place. As far as we're aware no-one is taking advantage of it (aside from our own automated testing frameworks).

There is only so far we can go to block this sort of thing without adversely affecting our ability to develop Firefox, I don't think we need to put any additional protection in place here at this point.
(Reporter)

Comment 3

6 years ago
Created attachment 654101 [details]
example of the dangerous extension
(Reporter)

Comment 4

6 years ago
copy attached xpi to 
c:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[profile]\extensions\staged\{4F5C2312-44DB-4bc9-84A7-E3B67A19EEE7}.xpi 
and FF will install it automatically
This issue is no longer reproducible on Firefox 52.0a1 (2016-11-13), Firefox 51.0a2 (2016-11-13), Firefox 50.0 (20161104212021) and Firefox 49.0.2 (20161019084923) under Windows 10 64-bit and Ubuntu 16.04 32-bit.

The add-on approval installation tab is successfully prompted after restarting the browser while following the steps from description.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.