Same-origin violation with InstallTrigger callback
- July 12, 2005
- Matthew Mastracci
- Low (High for Mozilla Suite)
- Firefox, Mozilla Suite
- Fixed in
- Firefox 1.0.5
- Mozilla Suite 1.7.10
InstallTrigger.install() method for launching an install
accepts a callback function that will be called with the final success
or error status. By forcing a page navigation immediately after
calling the install method this callback function can end up running
in the context of the new page selected by the attacker. This is true
even if the user cancels the unwanted install dialog: cancel is an
error status. This callback script can steal data from the new page such
as cookies or passwords, or perform actions on the user's behalf such
as make a purchase if the user is already logged into the target site.
In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector.
In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability.
The browser has been fixed to clear any pending callback function when switching to a new site.
Firefox: Remove untrustworthy sites from the list of those allowed to install, or turn off software installation entirely.
- Open the Options dialog from the Tools menu
- Select the Web Features icon in the left panel
- Uncheck the "Allow web sites to install software" box, or click the "allowed sites" button on that line to remove untrusted sites.
Mozilla Suite: Turn off the software installation feature.
- Open the Preferences dialog from the Edit menu
- Select "Software Installation" in the "Advanced" group in the left panel.
- Uncheck the "Enable software installation" checkbox.