---------------------------------------------------------------------------
  Title: Setting arbitrary Personas without user interaction in Firefox 3.6
Product: Mozilla Firefox
Version: 3.6
    PoC: http://wtikay.com/personas/
     By: Artur Janc
   Date: 01/26/2010
---------------------------------------------------------------------------

1. OVERVIEW

The recent release of Firefox 3.6 introduces support for browser "Personas"
-- lightweight image-based themes which alter the look and feel of the
browser chrome.

A malicious website can set a user's Persona to an arbitrary theme, disable
Undo functionality in the browser's information bar, and obfuscate the Persona
entry in the Themes pane of the Tools | Add-ons pane to make the detection and
deletion of a rogue theme somewhat more difficult.

2. DETAILS

2.1. Behavior

The ability to install or preview Personas is controlled by the same Allowed
Sites whitelist as for installing Firefox extensions. However, contrary to the
extensions installation process, setting Personas does *not* require the user's
explicit agreement (for example the post-upgrade "firstrun" page previews
featured Personas on hover). To give users control of the currently set
Persona, Firefox displays an information bar with "Undo" and "Manage Themes"
buttons upon any Persona-related action (preview or installation).

2.2. Vulnerability Description
Any XSS vulnerability in one of the two hosts whitelisted by default
(getpersonas.com and addons.mozilla.org) will allow the attacker to install and
activate an arbitrary Persona using a JavaScript event with a properly
specified DOM element as an argument, without prompting the user.

The PoC uses XSS in http://www.getpersonas.com/en-US/gallery/Designer/XXX

Setting the same rogue theme twice in quick succession will render the Undo
button useless, as the "previous" theme will be the same as the last one set by
the attacker.

The user will be able to click "Manage Themes" on the information bar to view
installed themes. However, all pieces of Persona-related information shown in
the list are controlled by the attacker, so nothing prohibits the attacker from
calling her theme "Default", setting the author to "Mozilla Corp." and setting
an innocuous icon and "preview" image to resemble the default Firefox theme.
The same Persona can be installed with multiple IDs to introduce clutter in the
menu and make detecting the rogue Persona and cleaning up the list more
painful.

2.3. Proof of Concept
http://wtikay.com/personas/
http://wtikay.com/personas/persona-non-grata.js

3. IMPACT

This issue might cause some inconvenience to users whose browsers' UI suddenly
starts showing intrusive ads or pornography, or becomes completely garbled
(see PoC), especially those not savvy enough to figure out which of the
installed Personas is causing the problem. Another, more surreptitious and
troubling possibility is to install a Persona indistinguishable from the
default theme (i.e.  transparent image) and use a custom updateURL argument to
get the victim's browser to periodically phone home to the attacker's
webserver, potentially enabling some level of user tracking.

4. FIX

To ensure that Personas cannot be automatically set by malicious websites,
Firefox should follow the model it adopted with browser extensions and prompt
the user before installing any new Persona. In the absence of such a fix, it is
necessary to audit all whitelisted Mozilla hosts for XSS vulnerabilities
(probably a good idea anyway) and hope that site updates don't introduce any
new ones.

5. DISCLOSURE

Since the immediate workaround for this problem is to patch XSS vulnerabilities
on Mozilla webservers, which doesn't require pushing client-side updates,
Mozilla is notified by receiving a copy of this report.