Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.
I started a little experiment — downloaded all extensions from addons.mozilla.org (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.
And because I was already at it, I decided to file some bugs in the AMO / Add-ons component, after all that component is meant for serious bugs in extensions that require AMO’s attention, right? I didn’t do this for extensions using wrappedJSObject without knowing what it does (usually this should only give web pages a chance to break the extension but nothing more). However, I found some cases where an extension made you vulnerable to the point that every time you visit a web page you risk getting your computer “owned” by it. And there were some of the less critical cases where the extension would communicate with its server and receive some JavaScript (typically JSON) as a response which it would then execute.
Of course, everybody has two jobs, a family with five children and still has to find time to walk the dog. So it wasn’t exactly unexpected that I had to contact the extension authors myself. But what surprised me then was the suggestion not to create bugs on the issues and contact the authors directly because it was “only JSON”. These uncritical issues supposedly aren’t AMO’s concern and only increase the noise on Bugzilla. Yet I tend to treat all security bugs seriously, even the ones that are less likely to be exploited, and so far everybody from Mozilla seemed to agree with me on that. Consequently security issues need a bug to track their progress, to me that is somehow obvious. Add to that the fact that most extensions don’t have a bug database that can be used for that, and even if they do, there is usually no way to mark the bug “security sensitive”.
I honestly don’t like the fact that somebody at AMO is taking security lightly. Granted, the user already installed the extension, so why should he care that it will run code from the author’s site? But then, he didn’t necessarily trust its author — he trusted AMO, the very official Mozilla site for extensions. The extension has been reviewed and published, there can’t possibly be anything wrong with it, right? And even if the user trusts the extension’s author, does he have to trust his web server administration skills as well? If his web server is ever hacked and the extension executes JSON code from the server without checking it first, then every computer with this extension installed might get infected with spyware or become a spam bot or just about anything else.
Dealing with user’s trust is a problem that AMO still has to face. People come to AMO bringing lots of trust, trust that Firefox has earned. And in return they get extensions most of which are of far lower quality than Firefox itself. My little experiment proved the point: a large percentage of extensions on AMO is buggy to the extent of exposing users to security threats. Of course, once Remora goes online there will be “reliable” and “experimental” extensions, and the quality of the former should be better. Yet segmenting extensions by user reviews isn’t a silver bullet, these rarely are objective and well-informed. AMO could display warning texts in big red letters telling that whatever an extension breaks is only extension author’s fault and neither AMO nor Firefox did something wrong — but then again, shutting down AMO will work even better. Then at least the users will certainly notice that they are installing from an untrusted site. In the end, I doubt there is any real alternative to a code review. It won’t have to be thorough but catching at least the most common problems like unnecessary use of eval() is a MUST.
We’ll see how it goes. I for my part am waiting for Remora before I do something with AMO again. I will probably continue my experiment since I need to find more security holes to understand what the most common problems are and how they should be detected. But I won’t report the issues any more, it doesn’t seem to be worth my time. I hope I managed to raise a little bit the awareness of the magnitude of problems AMO has to deal with. And I also hope that I proved another point as well — a central repository with the source code of all extensions hosted on AMO would be a huge gain. Not only because this way it is easier to search for problems that are likely to occur in many extensions. Gecko developers have a hard time finding out whether a certain feature is used in extensions and if it is — how often and in which ways. And the extension authors themselves need a way to find code examples easily to learn from each other (that, unfortunately, always includes wrong things as well but that’s just how it is). Anyway, after Remora launches I will be there again annoying people with my suggestions…
Comments
This is scary! I’m kind of paranoid anyway and this doesn’t set well with me. What would you recommend for users to do to watch out for bad extensions? Users like me that like them but don’t know any programming? Something we can look for in the code? If you don’t want to publish it, I’d love to get an email about it from you/someone/anyone that knows. Thanks.
That’s exactly the problem – as a regular user you can’t see it, at least some minimal code analysis is required. That’s why user reviews won’t help. For now you can comfort yourself with the thought that Firefox extensions aren’t popular enough for somebody to try to exploit vulnerabilities in them. This will change of course but hopefully AMO will have found some sort of a solution by then.
Thats right, It did scared me. suddenly i feel that all those security issues that plagued IE/ActiveX duo will surface for FF as well. Just a matter of time is it.
but i don’t think shutting down AMO is a good or rather practical solution to it anyway. Part of firefox popularity is because of single unified extensions source. secondly shutting down AMO will cut only source but not the problem itself.
I think we need something like PMD for extensions.
PMD? Maybe you meant DMZ?
The problem with the extensions isn’t as bad as with ActiveX – Windows comes with lots of ActiveX controls pre-installed and a malicious website can really rely on these controls being there. On the other hand, Firefox doesn’t have any extensions by default and I guess that not more than 20% of all Firefox users have any extensions installed at all. Another issue with ActiveX that Firefox extensions don’t have is that most of those ActiveX controls were never meant to be used from the web and were not designed with security in mind.
But of course, with the popularity of both Firefox and extensions increasing, we might see malicious sites specifically targeting popular extensions. But I think we still have years before that happens – time that we should use.
Hi
With PMD i meant http://pmd.sourceforge.net/ . Running a battery of automated white box test before the extension gets available. May be it will also help with memory leaks and sub optimal code.
Hi..
I am not computer wiz and unfamiliar with much on my computer and learning. I use Firefox and like it. I did however place the Addon ADBLOCK which I want to remove it. But I don’t know how to remove it from my computer. Any suggestions to help me please. Thank you.
http://kb.mozillazine.org/Firefox_:FAQs:_Uninstall_Extensions#Extension_Manager should help.
Another problem of the Mozilla Add-ons page is that there are these spam toolbars, the ones where users with few knowledge of Firefox’s own capabilities think: “Oh, it’s a got a popup blocker, let’s install it!”. I mean, no one really needs an additional popup blocker or search bar in Firefox and for RSS and email notification there are better extensions which don’t “send anonymous usage stats“ to Conduit.
However, the extension authors by default put these toolbars in all of the categories, so that every user will see their all too long descriptions (these texts aren’t even cut to shorten the page).
The problem with bugs is something which probably goes for extension that store their settings on a server, like bookmarking services or something, hopefully. I never install those extensions … but I’ve got a lot of other extensions.
There are several shareware download sites that use automation to screen for malware by installing and scanning. It seems like it would be far simpler to scan extensions on submission to AMO.
Why don’t they?
These sites don’t scan for malware but rather for known virus signatures. A generic recognition of malware is impossible (defining the term “malware” is hard enough in words already). Scanning for viruses in extensions is pointless since extensions aren’t compiled. And even if AMO would create a “malware” scanner, it would be easy to circumvent it (AMO is open source so anybody could check what they scan for). Automated scanning for possible vulnerabilities on the other hand is something that could be done – and will be done, hopefully soon. But it will only catch the most obvious things of course, e.g. extensions that are vulnerable by concept (Firefoxit is an example) usually cannot be recognized automatically.
You can also reduce the probability of certain kinds of attacks by (1) running your browser in a non-privileged user account; and (2) denying that account access to all files except those it needs to run your browser, store your downloads, etc.
This approach makes it much more difficult for malware to compromise your OS, or to modify or read files that it shouldn’t. Alas, it does not prevent malware from monitoring and reporting your browsing history (and the contents of all the pages you’ve visited) to some server.