I hope I managed to raise a little bit the awareness of the magnitude of problems AMO has to deal with. But I won’t report the issues any more, it doesn’t seem to be worth my time. I will probably continue my experiment since I need to find more security holes to understand what the most common problems are and how they should be detected. I for my part am waiting for Remora before I do something with AMO again. It won’t have to be thorough but catching at least the most common problems like unnecessary use of eval() is a MUST.
Adlock something goes wrong code#
In the end, I doubt there is any real alternative to a code review. Then at least the users will certainly notice that they are installing from an untrusted site. AMO could display warning texts in big red letters telling that whatever an extension breaks is only extension author’s fault and neither AMO nor Firefox did something wrong - but then again, shutting down AMO will work even better. Yet segmenting extensions by user reviews isn’t a silver bullet, these rarely are objective and well-informed. Of course, once Remora goes online there will be “reliable” and “experimental” extensions, and the quality of the former should be better. My little experiment proved the point: a large percentage of extensions on AMO is buggy to the extent of exposing users to security threats. And in return they get extensions most of which are of far lower quality than Firefox itself. People come to AMO bringing lots of trust, trust that Firefox has earned. The extension has been reviewed and published, there can’t possibly be anything wrong with it, right? And even if the user trusts the extension’s author, does he have to trust his web server administration skills as well? If his web server is ever hacked and the extension executes JSON code from the server without checking it first, then every computer with this extension installed might get infected with spyware or become a spam bot or just about anything else.ĭealing with user’s trust is a problem that AMO still has to face. Granted, the user already installed the extension, so why should he care that it will run code from the author’s site? But then, he didn’t necessarily trust its author - he trusted AMO, the very official Mozilla site for extensions. I honestly don’t like the fact that somebody at AMO is taking security lightly. Add to that the fact that most extensions don’t have a bug database that can be used for that, and even if they do, there is usually no way to mark the bug “security sensitive”. Consequently security issues need a bug to track their progress, to me that is somehow obvious. Yet I tend to treat all security bugs seriously, even the ones that are less likely to be exploited, and so far everybody from Mozilla seemed to agree with me on that. These uncritical issues supposedly aren’t AMO’s concern and only increase the noise on Bugzilla.
But what surprised me then was the suggestion not to create bugs on the issues and contact the authors directly because it was “only JSON”. So it wasn’t exactly unexpected that I had to contact the extension authors myself. Of course, everybody has two jobs, a family with five children and still has to find time to walk the dog. And there were some of the less critical cases where the extension would communicate with its server and receive some JavaScript (typically JSON) as a response which it would then execute. However, I found some cases where an extension made you vulnerable to the point that every time you visit a web page you risk getting your computer “owned” by it.
The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.Īnd because I was already at it, I decided to file some bugs in the AMO / Add-ons component, after all that component is meant for serious bugs in extensions that require AMO’s attention, right? I didn’t do this for extensions using wrappedJSObject without knowing what it does (usually this should only give web pages a chance to break the extension but nothing more). As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. I started a little experiment - downloaded all extensions from ( AMO), unpacked them and tried to find security holes by searching for specific strings. I am simply noting some areas where they still have a long way to go. They face extremely difficult problems and are working very hard.
Adlock something goes wrong plus#
Adblock Plus and (a little) more No good deed goes unpunished ĭisclaimer: I don’t blame people working on AMO for anything.
0 kommentar(er)
