[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #10682 [TorBrowserButton]: Disable update pings for Torbutton and Tor Launcher
#10682: Disable update pings for Torbutton and Tor Launcher
------------------------------+---------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: critical | Milestone:
Component: TorBrowserButton | Version:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
------------------------------+---------------------------
Bobnomnom reports that it is currently possible to hijack addon updates of
Torbutton and TorLauncher by submitting a fake version to
addons.mozilla.org with a matching addon uid. Because both of these addons
lack an update url, they both still ping addons.mozilla.org for updates to
their addon ID. Mozilla reviewers might catch an attempt by a rogue addon
upload that is trying to steal our ID and do bad things, but then again
they might not.
It used to be possible to disable individual addon updates by creating a
pref for extensions.{id}.updates.enabled, but I think this has now
changed. There still is a mechanism for it though. The addons UI has a
"More..." link for each addon that opens a pane where you can click a
radio button to disable updates for that addon. It does not appear to set
any prefs though.
We need to investigate what this UI is doing now and set the equivalent
value somehow ourselves.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10682>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs