[Trisquel-devel] Trisquel addon repository has security risks
Luke
gaming4jc2 at yahoo.com
Sun Dec 1 18:51:32 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I have noticed that the Trisquel aBrowser addon repository is
susceptible to several threat vectors.
1) Random users signing up and changing the download location of .xpi
files. This could be used to inject malicious code to unknowing users.
Solution:
a) Assign moderators who will check addons for approval similar to AMO
before going live.
b) Whitelist certain domains, e.g. only allow the url to contains
download links from "https://addons.mozilla.org" since they are
generally being checked by others.
2) Non-free blobs can still exists in supposedly free code and must be
reviewed. Taking for example a recent finding in FabTabs:
https://trisquel.info/en/browser/addons/fabtabs
While manually inspecting the code I found this interesting line
located in "/chrome/content/fabtab/content.js":
script.src =
'http://www.superfish.com/ws/sf_main.jsp?dlsource=fgzqxwui&userId=c4aa8323-83ff-4385-a2df-d45f8c1ce97a&CTID=fabtab';
This code appears to be a web-beacon and directly links to non-free
code outside of the original xpi! Thankfully this outside code appears
only to have analytic/tracking built in and not actual malicious
intent other than ensuring HTTPS is OFF whenever it queries the beacon
(contains url rewrites). However this opens the door for much larger
problems. Someone should be proactively studying extensions prior to
upload, and/or implement a small filter which can catch certain
artifacts at minimum.
One such make-shift bash script I whipped up (could use some work):
unzip -p *.xpi | cat | grep "http://\|https://\|eval(base64_decode"
This outputs all links and any base64 found inside of an xpi to the
terminal, and can catch the superfish web beacon.
Just some thoughts. :)
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJSm3ckAAoJEJ6DCuZ5py6j7SYIAJPuos8kCPjEG+k2LuSp+dlK
UCwUcfKHCU74bMBkPRHxHbBc6p1fgutrnwAn7M+iFPL7B7nAKeMFL3Q2TW8tHO3p
TGUFyTsDPsapogNVzjVO5Yt5rVkIa2C9TEQkVrjATTLkvF+dUPoCju8hZ2LVpMiG
yikda/JqYUtzN/MUWDAGkSq/Ldu9/kcTOk5iNcqOGlF/V7ZHPkQFOyrtZ7kSFJi6
Q4cr1E1BBekMptRNAnNIIaCC1hXX8I/MBK2WKsZS3PpGCyEySaZcmbaWGY3nvO9k
mwg+2Nz3cZcdciURDDn5Rlhk8dWzXZqu83WtsN2e9MfU9YsYDKEVPX1ZiqWWcTM=
=V9fF
-----END PGP SIGNATURE-----
More information about the Trisquel-devel
mailing list