Firefox Allows Any Site To Inject XPI Via XSS Via Delegation
Apparently this is true, although I can’t for the life of me figure out why this should be allowed. I ran across an article at DCortesi’s site talking about how Firefox has delegated their security to Google for installation of the Google Sync XPI. Pretty scary actually. What this means is that if an XSS hole were ever found in any whitelisted domain (including XSS in their server, MITM through your proxy server etc…) Firefox will happily allow you to download xpi files. I’ve talked with a few people about this off and on in a different context of loading an xpi file into a data: directive on the whitelisted domain. Yah, that’s scary. This is worse.
This sort of delegation of authority to other domains that you haven’t whitelisted is bad beyond the data directive because the size is unlimited (I have a feeling the data directive has an upper bounds although I have been able to get a data directive the size of 4k before so maybe not). Additionally you can load multiple files and the URL is much smaller if you don’t have to use the data directive. Anyone have any references on the upper bounds?
All of this seems especially bad when Google hasn’t been particularly good about keeping their site bug free. But it’s not just that Google is untrustworthy. You could turn any site into a delegate the way Firefox has been built - as long as you can force a redirection. If you can force the redirection it will allow the file to be downloaded. I haven’t tested this but I’m sure someone on the boards will. I’ll be curious to see if it’s really as bad as I think it is. The web just isn’t safe enough to allow delegates. I guess it’s time to clean out my exception list until I need to install something again.
This yet may prove my theory wrong - that it’s not the browser that’s flawed, it’s the plugins. In this case it definitely is the browser.
December 13th, 2006 at 1:34 pm
hrm, but doesn’t the victim still need to press the OK button after a 3 second timer or so? or is there a way aroud that?
Relying on the security of another website/corporation for your own security, is a terrible idea when avoidable .-.
and aww, it seems some punk fixed the XSS hole i was saving in www.mozilla.com ^^” - not sure if that’s one of the whitelisted domains.
December 13th, 2006 at 2:18 pm
Yes, I believe you would still have to click okay. But if you have an XSS hole in their site it would be pretty easy to convince people it was a patch or a service pack or whatever. Here’s a list of the standard exception list:
addons.mozilla.org
update.mozilla.org
And yup, that’s it. Of course you can add others (it’s actually pretty common for people to do so). I’m not sure if there is any way to detect that or not though.
December 13th, 2006 at 6:51 pm
Here is one thing that I haven’t share with the community yet but it proves RSnake’s point, which is: people are stupid and they will click on the install button just to get rid of the pop-up.
I conducted a small experiment some time ago with a couple of website that had signed JAR files embedded inside an APPLET tag. The cool thing about these JARs is they pretended to be coming from your vendor depending on your browser type and version. Once you load any of them, the JVM will ask you to approve the certificate they come with. If you press “yes” the JAR receives a complete access to your system. Every 3/10 of all surveyed users clicked yes. The signed JARs I have used for this experiment were in fact empty so none have got exploited but this whole thing is a bit concerning. Why people approve stuff that look so malicious and obscure? I couldn’t believe my eyes when I saw the stats.
If this simple, absolutely amateur technique is used together with one of these MySpace worms, every 3/10 users will be infected with a virus. So if 1000 000 users visits one of the XSSed profiles 300 000 will become part of a bot net. How powerful and dangerous is that? That’s crazy. Insane!