-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TST information disclosure vulnerability #2288
Comments
SummaryBoth old TST (3.0.13 and older) and MTH (3.0.6 and older) violated the security model of WebExtensions API. They unintentionally disclosed some sensitive tab data to other addons via their API even if the caller don't have permissions. If you installed any "attacker" addon, they could read such data and used them with their own permissions. Currently there is no information about existence of such "attacker" addons yet. Range of possibly leaked dataBoth those addons provides API for other addons to collaborate. On their APIs
Firefox sometimes shows security alert, for example a list of required permissions when an addon is going to be installed, and a confirmation at the first time when a tab is hidden by an addon. On the other hand, TST and MTH didn't implement such alerts, so those information might be leaked to "attacker" addons silently. Why the incident happenedI wrote a blog post looking at reasons why the vulnerability was introduced. Status of provisionPlease update to TST 3.0.14 and MTH 3.0.7 (and newer versions). They don't disclose them silently in API responses anymore. |
概要古いバージョンのTST(3.0.13以前)およびMTH(3.0.6以前)で、WebExtensions APIのセキュリティモデルに反した動作がありました。これらのバージョンでは、他のアドオン向けのAPIを通じて、本来であればそれらを取得する権限が無いはずのアドオンに対して、個人情報に関わりうるタブの情報が露出していました。 もし「攻撃者」となるアドオンをインストールしていた場合、それらのデータが読み出され、そのアドオンの権限で使用されていた可能性があります。現在の所、そのような「攻撃者」にあたるアドオンの存在は確認されていません。 漏洩した可能性があるデータの範囲これらのアドオンは他のアドオンとの連携のためのAPIを提供しており、API上ではリクエストに対する応答やイベントに対する通知などを通じて
Firefox自身はアドオンに関してセキュリティの警告を表示する場合があります。具体的には、インストール時に要求されている権限の一覧を表示したり、タブが初めて非表示に切り替えられようとしたりした場合などに警告と確認が行われます。 それに対し、TSTとMTHはそのような警告の仕組みを持っていなかったため、「攻撃者」のアドオンに対して全く無警告に情報が渡されていた可能性があります。 この事象が発生した原因対応の状況TST 3.0.14およびMTH 3.0.7以降のバージョンに更新してください。これらのバージョンでは、前述の情報が無警告に他のアドオンに渡される事はありません。 |
So this is a hypothetical based on the possible existence/creation of yet unknown "attacker" addons? So this is a little over my head technically. When you say a tab is hidden, please explain. Is this the type of thing that is only relevant to private window security? |
Yes. I have not received any report about such an attacker addon yet.
Not only on private windows.
|
I think I need to research all existing known public WebExtensions addons registered on signed by Mozilla at least, to make actual damage on regular usecase clear. But I don't know how to do that... |
@nollinvoyd is this sufficient? If so, can you close this item? |
I see that you addressed the data disclosure problem issue in the latest version. I am not qualified to analyze the changes, but if you are satisfied with the current state of TST, so am I. Thanks |
Tree Style Tab 3.0.13, Windows 10 Pro, Firefox 67
Ive updated TST and multiple Tab Handler.
I'd appreciate a more complete explanation of what we might or should be concerned about. You message on the addon page about the issue was confusing.
The text was updated successfully, but these errors were encountered: