--------------------------------------------------------------------------- Title: Setting arbitrary Personas without user interaction in Firefox 3.6 Product: Mozilla Firefox Version: 3.6 PoC: http://wtikay.com/personas/ By: Artur Janc Date: 01/26/2010 --------------------------------------------------------------------------- 1. OVERVIEW The recent release of Firefox 3.6 introduces support for browser "Personas" -- lightweight image-based themes which alter the look and feel of the browser chrome. A malicious website can set a user's Persona to an arbitrary theme, disable Undo functionality in the browser's information bar, and obfuscate the Persona entry in the Themes pane of the Tools | Add-ons pane to make the detection and deletion of a rogue theme somewhat more difficult. 2. DETAILS 2.1. Behavior The ability to install or preview Personas is controlled by the same Allowed Sites whitelist as for installing Firefox extensions. However, contrary to the extensions installation process, setting Personas does *not* require the user's explicit agreement (for example the post-upgrade "firstrun" page previews featured Personas on hover). To give users control of the currently set Persona, Firefox displays an information bar with "Undo" and "Manage Themes" buttons upon any Persona-related action (preview or installation). 2.2. Vulnerability Description Any XSS vulnerability in one of the two hosts whitelisted by default (getpersonas.com and addons.mozilla.org) will allow the attacker to install and activate an arbitrary Persona using a JavaScript event with a properly specified DOM element as an argument, without prompting the user. The PoC uses XSS in http://www.getpersonas.com/en-US/gallery/Designer/XXX Setting the same rogue theme twice in quick succession will render the Undo button useless, as the "previous" theme will be the same as the last one set by the attacker. The user will be able to click "Manage Themes" on the information bar to view installed themes. However, all pieces of Persona-related information shown in the list are controlled by the attacker, so nothing prohibits the attacker from calling her theme "Default", setting the author to "Mozilla Corp." and setting an innocuous icon and "preview" image to resemble the default Firefox theme. The same Persona can be installed with multiple IDs to introduce clutter in the menu and make detecting the rogue Persona and cleaning up the list more painful. 2.3. Proof of Concept http://wtikay.com/personas/ http://wtikay.com/personas/persona-non-grata.js 3. IMPACT This issue might cause some inconvenience to users whose browsers' UI suddenly starts showing intrusive ads or pornography, or becomes completely garbled (see PoC), especially those not savvy enough to figure out which of the installed Personas is causing the problem. Another, more surreptitious and troubling possibility is to install a Persona indistinguishable from the default theme (i.e. transparent image) and use a custom updateURL argument to get the victim's browser to periodically phone home to the attacker's webserver, potentially enabling some level of user tracking. 4. FIX To ensure that Personas cannot be automatically set by malicious websites, Firefox should follow the model it adopted with browser extensions and prompt the user before installing any new Persona. In the absence of such a fix, it is necessary to audit all whitelisted Mozilla hosts for XSS vulnerabilities (probably a good idea anyway) and hope that site updates don't introduce any new ones. 5. DISCLOSURE Since the immediate workaround for this problem is to patch XSS vulnerabilities on Mozilla webservers, which doesn't require pushing client-side updates, Mozilla is notified by receiving a copy of this report.