Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.
I started a little experiment — downloaded all extensions from addons.mozilla.org (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.
Of course, everybody has two jobs, a family with five children and still has to find time to walk the dog. So it wasn’t exactly unexpected that I had to contact the extension authors myself. But what surprised me then was the suggestion not to create bugs on the issues and contact the authors directly because it was “only JSON”. These uncritical issues supposedly aren’t AMO’s concern and only increase the noise on Bugzilla. Yet I tend to treat all security bugs seriously, even the ones that are less likely to be exploited, and so far everybody from Mozilla seemed to agree with me on that. Consequently security issues need a bug to track their progress, to me that is somehow obvious. Add to that the fact that most extensions don’t have a bug database that can be used for that, and even if they do, there is usually no way to mark the bug “security sensitive”.
I honestly don’t like the fact that somebody at AMO is taking security lightly. Granted, the user already installed the extension, so why should he care that it will run code from the author’s site? But then, he didn’t necessarily trust its author — he trusted AMO, the very official Mozilla site for extensions. The extension has been reviewed and published, there can’t possibly be anything wrong with it, right? And even if the user trusts the extension’s author, does he have to trust his web server administration skills as well? If his web server is ever hacked and the extension executes JSON code from the server without checking it first, then every computer with this extension installed might get infected with spyware or become a spam bot or just about anything else.
Dealing with user’s trust is a problem that AMO still has to face. People come to AMO bringing lots of trust, trust that Firefox has earned. And in return they get extensions most of which are of far lower quality than Firefox itself. My little experiment proved the point: a large percentage of extensions on AMO is buggy to the extent of exposing users to security threats. Of course, once Remora goes online there will be “reliable” and “experimental” extensions, and the quality of the former should be better. Yet segmenting extensions by user reviews isn’t a silver bullet, these rarely are objective and well-informed. AMO could display warning texts in big red letters telling that whatever an extension breaks is only extension author’s fault and neither AMO nor Firefox did something wrong — but then again, shutting down AMO will work even better. Then at least the users will certainly notice that they are installing from an untrusted site. In the end, I doubt there is any real alternative to a code review. It won’t have to be thorough but catching at least the most common problems like unnecessary use of eval() is a MUST.
We’ll see how it goes. I for my part am waiting for Remora before I do something with AMO again. I will probably continue my experiment since I need to find more security holes to understand what the most common problems are and how they should be detected. But I won’t report the issues any more, it doesn’t seem to be worth my time. I hope I managed to raise a little bit the awareness of the magnitude of problems AMO has to deal with. And I also hope that I proved another point as well — a central repository with the source code of all extensions hosted on AMO would be a huge gain. Not only because this way it is easier to search for problems that are likely to occur in many extensions. Gecko developers have a hard time finding out whether a certain feature is used in extensions and if it is — how often and in which ways. And the extension authors themselves need a way to find code examples easily to learn from each other (that, unfortunately, always includes wrong things as well but that’s just how it is). Anyway, after Remora launches I will be there again annoying people with my suggestions…