I didn't see any mail to amo-admins, nor to secur...@mozilla.org so I wanted to follow up. What URLs are you seeing that aren't on the s3 service? Nothing jumped out at me browsing the code, but knowing what I'm looking for would help me find it if it's purposefully hidden.
On 2/14/10 2:45 AM, Reed Loden wrote: > On Sun, 14 Feb 2010 02:27:11 -0800 (PST) > Jake Metherell <fluffylo...@gmail.com> wrote: > >> I noticed (via monitoring with FireBug) that a fairly popular add-on >> (S3Fox) is making dozens of http requests that appear to have nothing >> to do with the add-on's normal function. It could be attempting to >> harvest information/passwords etc. from the user, but I'm not sure and >> it might just be a bug. >> >> Obviously, I could report the issue to the creator of the add-on, but >> that might not be the best place if it is doing bad things. > > https://addons.mozilla.org/en-US/developers/docs/policies/contact#section-security > > "Add-on Security Vulnerabilities > > If you have discovered a security vulnerability in an add-on, even if > it is not hosted here, Mozilla is very interested in your discovery and > will work with the add-on developer to correct the issue as soon as > possible. Add-on security issues can be reported confidentially in > Bugzilla or by emailing amo-adm...@mozilla.org." > > ~reed > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
