Adblock Plus and (a little) more

Vulnerable extensions survey · 2009-02-05 16:49 by Wladimir Palant

I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.

Read more Comment [9]

Tags:

Displaying web content in an extension - without security issues · 2009-01-28 12:02 by Wladimir Palant

Over the last few years I reported a bunch of security vulnerabilities in various extensions and by far the most common issue was: “Extension Foo allows execution of remote code in privileged context”. Typically, an RSS reader extension would take the content of the RSS feed (HTML code), format it nicely and insert into the extension window. The issue that is overlooked here is that the RSS feed could contain some JavaScript code and it would then execute with the privileges of the extension — meaning for example that it would get full access to the browser (cookies, history etc) and to user’s files. pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.

Read more Comment [11]

Tags:

Emulating Window.openDialog with JavaScript arguments in an XPCOM component · 2008-07-02 13:27 by Wladimir Palant

Opening a XUL dialog from JavaScript is usually easy, you use Window.openDialog method that is almost the same as Window.open but also accepts some parameters that the dialog will be able to access via Window.arguments collection. But what if your JavaScript code runs inside an XPCOM component doesn’t have a window? Still not very hard, you use nsIWindowWatcher.openWindow method then. The tricky part here is passing parameters to the dialog however. I had to resort to hacks here in the past, and other people seem to have issues with that as well, so I thought I would share the solution.

Read more Comment [5]

Tags:

Putting an icon inside a menulist · 2006-06-15 18:17 by Wladimir Palant

So I wanted the inline editor for Adblock Plus filters to have an icon that cancels it. Shouldn’t be much of a problem? Yes, that’s what I thought. But the editor is an editable menuitem — and a look at chrome://global/content/bindings/menulist.xml shows that you have to use a regular menulist if you want an image there.

Read more Comment

Tags: