Automated Scanning of Firefox Extensions is Security Theater (And Here’s Code to Prove It)


  • area_can

    So for those who don't know, Mozilla is trying to get people to migrate to Chrome by becoming Chrome (I should mention that I'm still using Firefox, if only because of the tree-style tabs extension). Part of the process is limiting addons to be chromelike and requiring all addons to be signed by Mozilla. Dude writes up a quick proof-of-concept showing that Mozilla's automated validator can't catch all malware (which I'd expect, since they'd need to go through a manual review first):

    ####Bypassing the AMO validator

    Here’s an extension I created in a few minutes: https://github.com/dstillman/amo-validator-bypass

    It does three things:

    1. It monitors HTTP(S) requests for Basic Auth credentials and POSTs them to an arbitrary HTTP server. (I chose Basic Auth because it was easy, but it could be cookies, page content, or any other sort of sensitive data.)
    2. When a given URL is loaded, it runs an arbitrary local process.
    3. When another given URL is loaded, it downloads arbitrary JS code from a remote server and runs it with full privileges.

    This extension passes the AMO validator with no signing warnings, meaning it would be automatically signed for distribution. #1 required no modifications to pass validation. #2 and #3 required some l33t hacking in the form of Components.interfaces["nsI" + "p".toUpperCase() + "rocess"] and window['e'.replace() + 'val'](req.responseText) — variations on basic string concatentation.

    Not very convoluted, but maybe they'd catch that in the review process (which would take quite a while).

    Then someone from Mozilla adds the extension ID of the proof-of-concept extension to a blacklist. :facepalm:

    Way to go, you totally got rid of the problem!

    edit: Oh, and he's found another workaround for the PoC



  • This here makes it even better!

    https://www.reddit.com/r/firefox/comments/3u8cbe/automated_scanning_of_firefox_extensions_is/cxcrsg3

    What Mr. Stillman fails to mention in his post is that we are working on trying to find a compromise for larger add-ons like Zotero (which has historically always been a difficult add-on, submitting unnecessary code changes that slow up review times, etc.) while still preserving the integrity of our add-on system. Read this thread, https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/vxpElfVe_uo, where the topic of whitelisting is extensively talked through (even though this is exactly what Mr. Stillman wants, he continues to complain).



  • headdesk why does people's need to feel safe always get in the way of being reasonable. It escapes me how end users don't notice if a plugin is a pos.



  • In the reddit thread, there's an explanation which is quite reasonable to me:

    However, what I found to be missing from your analysis was a basic understanding of human nature. Obviously, this system is going to be defended vigorously, against all logic, all reason, all common sense.

    Why?

    Because it is someone's job to build it, that's why. Once it is someone's job to build something, you have someone whose (probably substantial) salary depends on it being a good, necessary, and useful thing to build. That someone is going to fight tooth and nail to defend it.

    This is human nature.

    And the Mozilla Foundation is going to listen to them over you.

    Why?

    Because they are familiar, you are not. Because what they say is comforting, and what you say is intensely painful and embarrassing if true. No one wants to learn they've spent X years of hard work living a lie.

    This, also, is human nature.

    So this system will be built. It will not work. But it will pretend to work for some time, before it very publicly doesn't work, and damage will no doubt stretch to the hundreds of millions or even billions of dollars. Because humans are nothing but tightly-wound balls of self-deception.

    Nothing you can do will change this.



  • I am waiting though for this one person who will ever not install something they want because it failed "validation" ... well, I guess there are those who don't know how to get round that one.


  • area_can

    This post is deleted!

  • area_can

    @ben_lubar do you know of any browsers written in go? Something sorta like Servo?



  • Sadly, none of this surprises me. The Mozilla people have developed the same attitude that all big companies eventually get - that they can abuse their customers without consequences.

    I use Firefox because I'm familiar and comfortable with it, and because I have several add-ons that I like to work with.

    If the next revision summarily breaks all those add-ons (and some will never be fixed because the author stopped development a long time ago), then I'm back to running it in the base configuration, and there is no longer anything preventing me from switching to something else. Especially since they seem bent on changing the entire UI as well.

    They're going to security-theater themselves into making their user-base switch to Chrome or Safari or Opera or any number of other competing browsers. But I'm sure they're OK with that - after all, anyone who disagrees with their policy is only doing so because he's opposed to security and wants to spread malware.

    And like so many other companies who have abused, and then lost their customers, they will fail to see through their own delusions the entire time the company spirals into oblivion.

    At least Mozilla code is open source so if they piss off enough of their own developers, someone will fork it and (maybe) be a bit more reasonable.



  • I've thought about building a browser in Go, but most browsers that exist right now are so hacky with how they do things that I don't think I could replicate their performance in a language that doesn't let you run code from the heap or other crazy things.



  • @David_C said:

    At least Mozilla code is open source so if they piss off enough of their own developers, someone will fork it and (maybe) be a bit more reasonable.

    Somebody did:

    I've been using it for almost a year now and it's much better than the crap that Firefox has devolved into.


  • FoxDev

    @royal_poet said:

    I am waiting though for this one person who will ever not install something they want because it failed "validation" ... well, I guess there are those who don't know how to get round that one.

    i'm waiting for the end user that doesn't trust the "validation" and instead does their own investigative validation before even trying to install an extension...

    and if that happens i'd like a billion dollars and world peace for my other two wishes.



  • isn't mozilla supposed to be rewrited in rust or something?

    @ben_lubar you probably could use the webkit engine, since the complaints are in the plugin system. even if you need to change something it's probably simpler to modify it a bit than write your own engine



  • @fbmac said:

    isn't mozilla supposed to be rewrited in rust or something?

    Assuming you mean the browser and not the organization, that would probably be a good idea. If you actually meant the organization, I guess you're asking for skynet or something?


  • area_can

    Yes, there's servo. But it's not meant to replace Firefox.



  • Wow. So not only do they pull that stupid fucking signing bullshit. They do it for LITERALLY ZERO BENEFIT. And they incompetently try to hide their incompetence.

    Come on, Firefox forks, now is your time to become something!



  • @Palemoon said:

    Why was Windows XP support discontinued by Pale Moon?
    Windows XP is no longer supported or maintained by its developer (Microsoft) and lacks continued security updates that are needed in this day and age of malware. It's considered End of Life since April 2014, and using it is inherently taking a security risk. Also understand that Windows XP lacks some features in terms of program security and stronger ecurity certificates.

    @Palemoon said:

    Windows XP compatibility is maintained for these builds since many older, low powered netbooks/laptops do not run a later operating system. Please be responsible if you are running this operating system that is no longer supported with security updates by the manufacturer.

    Why should a browser be so concerned with how supported and secure is the OS its users are running it in?

    This feels like something Firefox would do, not a Firefox alternative. (And firefox doesn't do this)

    <script>No, I'm not still using Windows XP. Yes, I did see Paley has some less bad reasons for not supporting Windows XP (At least if true. Some were a bit of a red flag in other ways).


  • Wouldn't they have to reimplement all the stuff that later kernels added to keep working on older versions while using new features?



  • Yes, that's a good reason to drop support for Windows XP ("The cost outweighs the benefit"), and it's even one of the reasons listed on the site.
    I just found the quoted reason (also the first reason listed) quite slimy.



  • If it uses OS provided infrastructure to provide security (like SChannel for IE), it should have concern.

    If it doesn't, then it has lesser concern. (Say, Firefox uses NSS to provide SSL encryption)


  • Trolleybus Mechanic

    Mozilla: Inventing solutions to problems that don't exist since 2009.


  • area_can

    I've installed Pale Moon and got two of my incompatible extensions working by installing older versions.

    Except the mouse gestures extension fails to scroll, probably due to some API breakage. I edited the extension code to try and fix it, but when I start the browser it uninstalls the extension. :headdesk:

    I think I might just start using lynx.



  • OMGWTF3 confirmed to be "write a Firefox extension that doesn't break with every update"


  • area_can

    Sigh.


  • :belt_onion:

    I hope they're better at web browser development then they are at CSS...



  • @bb36e said:

    I've installed Pale Moon

    Me too.



  • OMGWTF challenges are for retardary, not impossibility.


Log in to reply