Source code of any app can be downloaded by anyone from https://marketplace.firefox.com/downloads/file/XXXXXX

RESOLVED WONTFIX

Status

Marketplace
General
P3
normal
RESOLVED WONTFIX
4 years ago
4 months ago

People

(Reporter: ramd, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:marketplace.firefox.com][reporter-external])

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20131212030202

Steps to reproduce:

I tried some random digits at place of 'X' in https://marketplace.firefox.com/downloads/file/XXXXXX'


Actual results:

I was able to download source code of few of apps.


Expected results:

It should not allow anyone to download source code of any app. Only authorized person should be able to download his apps.
(Reporter)

Comment 1

4 years ago
You can try with https://marketplace.firefox.com/downloads/file/234420
This is essentially like using view-souce in a web page as this is how web apps are packaged. These files contain the resources (ulrs, etc) for the app and it's manifest. This is not the source code for the app.
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: sec-bounty-
Resolution: --- → WONTFIX
Whiteboard: [site:marketplace.firefox.com][reporter-external]

Updated

4 years ago
Blocks: 836571
(In reply to Curtis Koenig [:curtisk] from comment #2)
> This is essentially like using view-souce in a web page as this is how web
> apps are packaged. These files contain the resources (ulrs, etc) for the app
> and it's manifest. This is not the source code for the app.

Just to clarify: This IS the source code for the app - or rather this is the app itself. This URL is used as part of the install process. As an example:

When you click install a PACKAGED app (i.e. not a hosted one), a manifest.webapp file is downloaded such as:
https://marketplace.firefox.com/app/956189a1-c985-4824-85a9-de708d38d6f9/manifest.webapp

Inside this file is a "package_path" which contains the path to the app: https://marketplace.firefox.com/downloads/file/237117/connecta2-009.zip

As it turns out, marketplace will let you specify anything after the number and that will be used a filename. The content type is always application/zip though so I can't think of any issues with this. 

So bottom line, this is the URL used to install the app. We could make it less predictable, but it would always be possible just to crawl the marketplace and download all apps that way.
Thanks for filing this bug.  As was mentioned above, these are packages of client-side code and shouldn't contain anything secret.  I agree this is not a security bug.

That said, I'm going to reopen it because I'd like to fix it, particularly in the case of paid apps where we prevent downloading until a user has paid.
Status: RESOLVED → REOPENED
Component: Security → General
Ever confirmed: true
Priority: -- → P3
Resolution: WONTFIX → ---
(Reporter)

Comment 5

4 years ago
I have one more doubt that if its fine to get source code of any app then it should also be possible for everyone to know the app number(which is what XXXXXX in https://marketplace.firefox.com/downloads/file/XXXXXX). What you people say?
app number isn't a secret
(Reporter)

Comment 7

4 years ago
How do I find app number of any app ?

Comment 8

4 years ago
(In reply to Wil Clouser [:clouserw] from comment #4)
> That said, I'm going to reopen it because I'd like to fix it, particularly
> in the case of paid apps where we prevent downloading until a user has paid.

The receipt is the proof of purchase, not the download. Saying that, I think people will repeatedly file this bug, so its better to try and prevent it.
Assignee: nobody → amckay
Target Milestone: --- → 2014-01-14

Comment 9

4 years ago
r? https://github.com/mozilla/zamboni/pull/1608
Yep, receipts have and will always be the protective mechanism against freeloaders using paid apps. Once one person buys an app, they could copy the source code from their device and give it to someone else but a copied receipt is detectable (when validated server side). 

However, I agree that protecting paid app source code is a good idea if only as a defense-in-depth strategy. Some devs are inevitably going to be careless about validating receipts so it will protect them a little bit.

Comment 11

4 years ago
https://github.com/mozilla/zamboni/pull/1608

And of course this doesn't help at all with hosted apps who really, really should be using receipts but there you go.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED

Comment 12

4 years ago
Man I'm on a winning streak this week. The problem here is that when we call install cookies are not passed on to the install request. Which means we've got no authentication and with no authentication we have no idea if they've paid or not.

https://github.com/mozilla/zamboni/commit/2a6a62
Assignee: amckay → nobody
Status: RESOLVED → REOPENED
Depends on: 951456
Resolution: FIXED → ---
Target Milestone: 2014-01-14 → ---

Comment 13

4 years ago
Note that this would also break the APK Factory as noted in bug 959288.
See Also: → bug 959288
Uhm for example my app are on Github so i think that it's better a field for insert the link of the site of the repo (issues, wiki etc) than an automatic download by the marketplace.

Comment 16

3 years ago
We'll go for receipts being the protection mechanism.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.