Is there a danger we are signing malware?

John99 · July 4, 2015, 8:44pm

Could we be leaving signed addons around that may be misused form third party sites ?

I may be wrong in some of my presumptions here, but this may remain a valid question to ask.

Someone was asking elsewhere about an apparent Firefox Search hijack.
In that instance the addon was shown as:

Searchme 2.5 (searchme@mybrowserbar.com)

Now I have no reason to think this is the same addon as

    SearchMe                  0.7.1.1-signed                      
  by Video Communication   [this][2]

However the signed addon has few users and the two reviews a & b suggest this is a browser hijacker.

Is there a possibility leaving such signed addons around opens a backdoor to those addons being hosted elsewhere and used as malware. Users may inadvertently download and install such addons from third party sites. The addons will already be signed.

In relation to the above mentioned addon

How and why did that addon get approved in the first place ?
If it does indeed act as a browser hijacker, as the reviews suggest.
Do we have any requirements that the support and home sites displayed on addons.mozilla.org are correct ?
(I am not sure they are for this particular addon)

Toolbars or PUPs with similar names and functions may not have a good reputation see for example http://malwaretips.com/blogs/remove-searchme-toolbar/

jorgev · July 6, 2015, 4:27pm

The add-on you pointed to on AMO doesn’t appear to be doing anything wrong. Even if it were a bad add-on and it were signed, users wouldn’t be in a riskier situation they would be in without signing.

As for your second question, no, we don’t strictly validate those URLs, and the can change at any time.

dveditz · July 9, 2015, 9:15pm

“Even if it were a bad add-on and it were signed, users wouldn’t be in a riskier situation they would be in without signing.”

And with signing we’re in a much better position to blocklist the addon retroactively–even if distributed from a non-AMO site–once we find out it was malicious.

noitidart · August 23, 2015, 10:11pm

That’s interesting how does that work? Does firefox check if addon is valid sign on every startup of browser? Or when it checks for updates?

jorgev · August 25, 2015, 8:51pm

Yes, Firefox checks regularly that the signature is still valid. I don’t think it blocks startup, but it happens early in the session.

John99 · November 10, 2016, 6:41pm

I have now posted an example where a signed addon is apparently effectively malware

Safesearch incognito used inappropriately should not be signed https://discourse.mozilla-community.org/t/safesearch-incognito-used-inappropriately-should-not-be-signed/11979