I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.
Altogether, not too many extensions follow best practices that would protect them from such issues. The percentage is probably lower than for websites. But on the other hand, the potential consequences of vulnerable extensions are not comparable. The conclusion (which isn’t really new): more evangelizing for safe coding practices is needed. I recently published my first article on safe coding practices, more should follow. And AMO needs to push extension authors into abandoning questionable approaches, regardless of whether these approaches currently cause security issues.
PS: Oh, and while I was at it I found an issue in one of my extensions as well – fortunately not exploitable but still something I will need to fix.
Comments
I’m not sure if you know about or have used MXR for addons (http://mxr.mozilla.org/addons/), but I’ve found it interesting to look at how many addons use a particular method or whatnot.
That’s AMO source code, not the add-ons. You probably meant http://mxr-test.konigsberg.mozilla.org/addons/ but it is only available to “the chosen ones”. In general, my understanding is that AMO doesn’t want to make it too easy to search for vulnerable add-ons.
Either way, I didn’t want to look at all the add-ons, there are simply too many. I wanted to look only at the popular ones.
Since you have checked/check a lot of extensions, I have a question:
Do you know a good RSS reader extension for Firefox which isn’t abandoned and is secure to use? Or do you have any advise for average joe? Thanks!
RSS reader extensions are notoriously insecure, I am not aware of any that would do a complete job isolating blog content (though of course some fail in worse ways than others). I can only recommend using the built-in RSS reader in Thunderbird which has some quirks but works pretty well and has very good security.
It doesn’t sound like the Firefox extension system follows the “pit of success” doctrine…
I assume you will be filing bugs on the relevant extensions, as well as any core bugs about structural changes we can make to make it harder to shoot yourself in the foot?
Of course I filed bugs on those extensions. As to structural changes, I expected those to happen in AMO. However, now that you mention it – I think there are a few things that can be done in toolkit as well, will file bugs on those later.
Any chance of publishing the actual list? I’d like to check the extensions I am using.
I’ll certainly not do that. The extensions in question are already being fixed – the point was not outing them but making sure that the quality of extensions in general goes up.
In regards to Wladimir’s reply to comment 1: It isn’t a matter of not wanting to make it easy to search, it’s just a matter of time and priorities. As a rule we don’t consider difficult things inherently secure. :)
Also, thanks for doing this audit and filing bugs – it’s a big help to us and it sets a good example for add-on authors that sample other peoples’ code.
Okay, fair enough if that is your view. I personally prefer full disclosure. If you managed to find those vulnerabilities in such a relatively short time I’m sure others have :(
I’m sure all the bug reports will be made public – once the issues have been fixed.
Would this be an opportunity for you to take a quick look at my extension? :)
It’s at http://msnmsgr.mozdev.org/
I don’t think there are any security issues, as what I receive either gets interpreted or put in a text node, but you never know.
The source for all add-ons is not public because not all of them are open source!