Closed Bug 955929 Opened 12 years ago Closed 12 years ago

Malicious addon "BonanzaDeals" needs blocklisting

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX
Milestone:
2014-01-14

People

(Reporter: mhammell, Assigned: jorgev)

References

Details

Attachments

(1 file)

malicious_addon_sample.zip
2.56 KB, application/octet-stream
Details
Hello, The attached zip contains a sample of a malicious addon. It hijacks a victim's Facebook account and sends spam to their friends. Thanks! Facebook Security MD5: 24410126bb33a5e7199e45bc533a13be
Password on the attachment is 'infected'.
Severity: normal → major
ID: {f9d03c26-0575-497e-821d-f7956d23e0ca}
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → 2014-01-14
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i534
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified as fixed in https://addons.mozilla.org/en-US/firefox/blocked/i534 on FF26 (Win 7). Closing bug.
Status: RESOLVED → VERIFIED
Hi guys, We have recently received multiple complaints from users who have received warnings from Firefox about our add-on. In addition, we have experienced a decrease in product searches originating from our product. After further investigation we have come to learn that our add-on was reported as "takes over Facebook accounts and posts content without user consent." This accusation is completely false! Our add-on does not collect any user data and has a strict privacy policy: http://www.bonanzadeals.net/privacy.html Our product is used by many shoppers every day, and only displays shopping-related content. It has no interaction whatsoever with Facebook (or, in fact, any other social network) and we are not using any "viral marketing" techniques. No content is ever posted on behalf of our users, with or without their consent. We have also examined our server logs and content, and can confirm that our servers are secure and were not hacked at any point. Furthermore, the old version of the add-on, the one uploaded by MarkH, actually had a bug in it that prevents it from doing anything at all. (This is the result of a malformed folder structure that was fixed in later versions.) So it's absolutely impossible that the add-on did anything described by MarkH. As this is a completely false accusation that's hurting our product and users, I would like to ask that our add-on be re-enabled. Thank you! David Haus Bonanza Deals
Flags: needinfo?(jorge)
Since the attached version fetches all of its code from a remote location, we were unable to validate any of your add-on's functions. Please attach your latest version, since it doesn't seem to be available on your website directly. Judging by what we can find about it online (http://www.shouldiremoveit.com/Bonanza-Deals-90602-program.aspx), it's possible there are other issues with it that will need to be corrected before the block is removed. You can find our Add-on Guidelines here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Add-on_guidelines
Flags: needinfo?(jorge)
You can just click the "Check for Updates" menu item under Add-ons Manager. Firefox will take care of the rest. Otherwise, I believe the default interval for add-on auto-updates is one week. Regarding the remote location, the version posted by Mark does not even fetch the code from a remote server because of the malformed folder structure. It literally doesn't do anything. Triggering an add-on update from Firefox would fix that, too. Thank you Dave
Flags: needinfo?(jorge)
I don't have it installed at present. Please attach the latest version so I can give it a look.
Flags: needinfo?(jorge)
Hi Jorge, The latest update is here: http://s3.amazonaws.com/bonanzadeals/BD32.xpi Thank you! Dave
If I should stop flagging as "Need more info" please tell me...
Flags: needinfo?(jorge)
Thanks, the needinfo flag is not necessary. Looking at your XPI, I don't have much information to make a decision either way, since all of its code is obtained from a remote source. But I'm willing to give you the benefit of the doubt. *However*, the way your add-on currently loads its code is very dangerous, which is enough for us to maintain the block until that is fixed. Your add-on is fetching its code using an HTTP (not HTTPS) request that a malicious third party can intercept in transit, opening your users to MITM attacks, which are particularly dangerous for add-on code because it runs with system privileges. You need to at least switch to HTTPS requests for all code. What would be even better is that all privileged code is included in the extension package and only content code is fetched remotely.
Flags: needinfo?(jorge)
Thank you for your time Jorge. We have adjusted the add-on per your request (http://s3.amazonaws.com/bonanzadeals/BD32.xpi). Rather than fetching the script over HTTPS (which can be quite costly at large scale), we are no longer fetching a XUL script from our server. I believe this completely neutralizes the "MITM running system code" concern. We have introduced this as a quick solution to protect our users, and keep working on solutions that would be both safe and flexible. As a side note, most of these "hacks" are necessary because we have found Firefox's update interval to be a bit longer than would be appropriate for our release cycle. We would greatly appreciate if you lift the ban while we keep developing the next generation of the product. Thank you! Dave
Okay, I just removed the block. However, there are still security issues with your current approach. You're injecting your iframe into all sites, which will break the security state of secure sites like email and banks. If you don't want to serve your content over HTTPS, you shouldn't inject your iframe on sites that use HTTPS. In fact, you should ideally have a list of domains (which can be fetched from your server if needed) where the iframe will be injected, since I assume the frame will only work for certain sites anyway.
Status: VERIFIED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: FIXED → WONTFIX
Thanks Jorge! I appreciate your help and feedback. Like I said above, we came up with this as a quick solution that would fix the MITM concern, which was the most significant in terms of user safety. > If you don't want to serve your content over HTTPS, you shouldn't inject your iframe on sites that use HTTPS. That's exactly what we do in the version posted; we add the script only to pages whose URL starts with "http:", meaning that all secure pages are excluded, even those on our white-list.
Ah, I see, I missed that bit.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: