1.37 MB, application/pdf
Thanks for giving us a head's up on the paper. You are quite right that add-ons can do anything Firefox can and that it's dangerous. Installing an add-on is not in any way sandboxed; it is installing software on your machine, no different than installing a plugin like Java or Flash. Can't really call it a "bug", it's just the way that functionality is defined. To the extent that malicious add-ons exist I would hope that anti-virus treats it as any other malicious software. You're right that they don't always, so getting the word out that they ought to be looking can only be helpful. I believe you are wrong about A-V not unpacking .xpi files: they CAN do so, they just aren't looking for many malicious add-ons. But for the very few they know about they do detect them. For example, here is the VirusTotal analysis of the example malware FFSniff add-on from http://azurit.elbiahosting.sk/ffsniff/ https://www.virustotal.com/en/file/445b5de204bfc337ed571f406787fe1a39e8fecaf0ea60d61a6c28c1fe834332/analysis/ So "signature-based" seems to work, but they don't seem to have heuristics to detect new "bad stuff" such as the add-ons you wrote.
Also it's easier for anyone to do exploitation with Firefox. I had presented this paper at AppSec AsiaPac Security Conference 2013, South Korea (i didn't made full disclosure). The responses from the delegates seems they are fearing to use firefox even if i told them it's basically happens only if malicious add-ons are there. Still hard to convince them. And at last i explained them about the mitigation strategies to protect from such exploitation with these kind of add-ons. And if it's not a bug, then it's a design flow to fix. 1. There should be some restrictions on the files that can be accessed by an add-on. It's very clear that stealing "sessionstore.js" which stores the confidential session information is a severe threat. Same applies to reading Linux password file. 2.Why still firefox add-ons can run an executable. that should be depreciated by now, because there is enough programming environment and tools to make add-on development easier. So remove the support for windows executable. 3. And if one add-on can interact and get the values or configs of other add-ons then where is the integrity. 4.Eventhough it's about Add-on exploitations, but still it's related to Firefox. So as a web developer, information security researcher, i would like to tell you that the Mozilla Platform should be filtered and security architecture should be redefined or redesigned. You got billions of users and never loss there trust.
With the adoption of Web Extensions and the deprecation of full add-ons, I think we could call this bug RESOLVED. Dan?