[tor-bugs] #10682 [TorBrowserButton]: Disable update pings for Torbutton and Tor Launcher
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 21 04:31:46 UTC 2014
#10682: Disable update pings for Torbutton and Tor Launcher
------------------------------+---------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: critical | Milestone:
Component: TorBrowserButton | Version:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
------------------------------+---------------------------
Bobnomnom reports that it is currently possible to hijack addon updates of
Torbutton and TorLauncher by submitting a fake version to
addons.mozilla.org with a matching addon uid. Because both of these addons
lack an update url, they both still ping addons.mozilla.org for updates to
their addon ID. Mozilla reviewers might catch an attempt by a rogue addon
upload that is trying to steal our ID and do bad things, but then again
they might not.
It used to be possible to disable individual addon updates by creating a
pref for extensions.{id}.updates.enabled, but I think this has now
changed. There still is a mechanism for it though. The addons UI has a
"More..." link for each addon that opens a pane where you can click a
radio button to disable updates for that addon. It does not appear to set
any prefs though.
We need to investigate what this UI is doing now and set the equivalent
value somehow ourselves.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10682>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list