Closed Bug 962446 Opened 11 years ago Closed 11 years ago

Firefox addon updates vulnerable to hijacking through AMO

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 960036

People

(Reporter: yan, Unassigned)

Details

(Keywords: reporter-external)

(Taken from http://s0beit.me/vulnerabilities/firefox-plugin-ownership-hijacking-exploit/) Steps to repro: 1. Alice makes an addon and doesn't specify an update URL. She doesn't upload it to AMO. 2. Bob takes her addon, turns it into malware, then uploads it to AMO. Result: All users who've installed Alice's addon automatically get the malware update from AMO. I'm marking this as sec-major because, as the author of the original post points out, this could be disastrous if someone decides to find addons without update URLs on Github and upload them all with injected malware to the addons store. Granted, it's probably mitigated by AMO's addon review process. But I'd rather not trust that alone.
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
OS: Linux → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.