XPI files are not checked by download protection
Reported by
resea...@nightwatchcybersecurity.com,
Apr 1 2016
|
|||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.110 Operating System: Mac OS X 10.11.4, also affects Windows REPRODUCTION CASE XPI files which are FireFox extensions should be checked. This is mitigated by the fact that FireFox prompts the user before installing an extension
,
Apr 4 2016
,
Apr 4 2016
meacer -- Do you know how XPI files are handled by Firefox? Are they auto-loaded and auto-executed if you open them from the file system? If firefox prompts, then there is enough friction that this wouldn't qualify for VRP.
,
Apr 4 2016
Here's the process: https://accessfirefox.org/Install_Addon_Manually.php Here's a video demo: https://youtu.be/u36KaXCI5T4?t=32 Firefox does show a confirmation prompt and asks the user to only install extensions from trusted authors.
,
Apr 5 2016
Most importantly, Windows doesn't recognize the XPI filetype and doesn't associate it with Firefox so the user needs to know how to make Firefox consume it. https://support.mozilla.org/en-US/questions/1009049 In my opinion, that raises the friction high enough.
,
Apr 5 2016
I agree, I'm pretty sure Firefox will almost always ask if the user wants to install the extension, making this file type not that dangerous.
,
Apr 5 2016
research@nightwatchcybersecurity.com: Thanks a lot for filing this bug under the SafeBrowsing VRP. Merely downloading an XPI file is not dangerous in itself and requires a non-trivial amount of work by the user afterwards. Therefore, based on the rules of the program, this bug is ineligible for a reward because it doesn't meet the condition: "minimal user interaction with the file".
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Apr 1 2016