Well, yes and no.Yes
, I am a bit disappointed. Don't take me wrong, I think that the development team, the AMO editors and you guys moderating this forum are doing an excellent job
and I want to voice my appreciation for the time and effort all of you all put into this project.
I guess, my disappointment is fruit of my ignorance that has now partly vanished. The realization that FF is not as I imagined to be is a cold shower.
You can tell by the original title of this post that I did NOT have a clue about relationships between addon-2-addon and core_application-2-addon. When I asked:
me wrote:...is there even a remote possibility that another add-on can steal data from my add-on?
I expected someone saying:
nobody wrote:No, you don't have to worry about that!
I tried and as you say "it is really quite simple". I really did not expect this.
I also know that JS has its limits and, under the current circumstances, I agree with you that it is not the right choice for my add-on to hold sensitive data.
But even if it wasn't the case, my original preoccupation has become secondary. The real problem is another. Once the username and the password make it to the form they are completely at the add-on's mercy. Even if they came from a secure channel, encrypted, and stored in some super-secure dll once they become clear text values in form fields, they are free to be accessed by any add-on. Which would not be a problem as long as add-ons could be controlled where to send out data to.
Talking to you guys made me do some reading on-line about FF security and I came upon this. You might remember the Security Vulnerability Announcement written by Jorge Villabos on 13/07/2010
about the MozillaSniffer issue:
Jorge Villabos wrote:If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location...
**zzo!!!! Well, Sniffer it is called and that's what it does...
You see, this one has slipped through full review. I repeat, I think AMO editors are doing a great job and maybe one day when I have the competence I will ask to join them to help. But we must know our limits - WE ARE HUMANS AND WE MAKE MISTAKES.
As a matter of fact, on the same bulletin there is another issue: CoolPreviews. A little "funky" code
in the href attribute that you don't even have to click(just hover) and it would attempt to make changes to your OS's hosts file. I am really happy for those !!! 177.000 users !!! that this one was a proof of concept and maybe only 10% of them had their names written into their hosts file. It is still 17.000 users who risked big time! You know, I am a *NIX user and I use superuser for what it is intended to be used for - but talk to the "normal" Windows users. From my experience 1 out of 2 uses admin privileges for every day tasks (such as browsing on the web) because doing so they can do things without being asked "stupid" questions by OS.
Now, can you tell me why on earth FF, or any other application intended to browse remote resources (rating from secure to evil), should have access to the hosts file, or for that matter to any file outside of the users home folder(one could even argue outside the current profile)??? For me, there can not be a plausible answer to this.
In fact, I would really like to know what actions were taken, apart from obviously removing the add-ons, to make sure threats like this never repeated again.
... and the no part...No
, this is not my paradigm. Perhaps I use the term inappropriately. What I mean is "by definition". By definition, my add-on, as any other, is integral part of the core application and as such have as much "power" as the core application itself. This is not something I required or set when I created my add-on. FF gives me all this "power" without any further ado. You say:
iann wrote:...you want your own personal bit of Firefox to somehow have privileges that no other part of the application has
but I don't really. I don't wan't access to system files, I don't want launch separate processes, I don't want to modify/erase preferences of the core application or of other add-ons and I don't want to access other add-on's methods or variables. I don't need any of this stuff. But my add-on is granted to do all of it. The only thing I want is the privacy of my add-on but this one I cannot have.
Well, yes I can, but the only way to do that is by being the ONLY add-on installed in that profile.
And this is quite a disappointing conclusion.