Additional Threat Modeling for Share

September 26, 2011

addition data in privacy review: https://wiki.mozilla.org/Privacy/Reviews/F1A

alpha plan: https://wiki.mozilla.org/Labs/F1/AlphaPlan

• SMTP Threats
  • Some addons might be tempted to use this addon to SPAM
• How much of the UI/implementation is dynamically loaded over the network?
  • There is no remotely-loaded content in the Alpha release, resources are loaded from the add on itself into sub-Iframes
• In future releases, some parts of the UI will be dynamically loaded, e.g. icons for service providers?
• Thumbnails
  • Page screenshot thumbnail code has been removed for this alpha release
• Follow-up Things
  • Review for Injection attacks --> bsterne to file bug
    • Data from content is being shared, but it isn't shared *by* content
    • Content can influence what data is pre-filled using OGP tags, makes it easier to mount injection attacks if there are any vulnerabilities
    • Fuzz testing?
  • SMTP code: https://github.com/mozilla/fx-share-addon/tree/feature/gmail/lib/email
    • • Need to check SMTP code against injection attacks / proper escaping
  • Make sure that the JetPack panel (used for preview) uses type="content" - verified, type is content.
  • Share preview addon with secteam@mozilla.com
  • Come up with a way to sign this addon (not necessary for alpha release)
• Pages cannot trigger the sharing process in this alpha release

page scraping: https://github.com/mozilla/fx-share-addon/blob/feature/gmail/lib/panel.js#L271