2016-05-05, 16:02
(2016-05-05, 09:34)spoyser Wrote: It may be worth mentioning that it is also possible to "hi-jack" an addon simply by pushing an addon with the same ID as an existing one but with a higher version number (provided the user has your repo installed).Couldn't this be easily fixed by disallowing automatic updates from a different repo than the one the addon was originally installed from by the user? If user wants to do a cross - repo update (i.e. For some addon that was abandoned and then reappeared in a different repo) it would have to be manually done by the user.
So theoretically a developer could push a rogue YouTube addon to their repo with a bumped version number, anyone with that repo and the official YouTube addon (from the org repo) would get their addon updated to the rogue addon (if they have auto updates on they might not even notice it).
This rogue addon could behave exactly the same as the official one, but under the hood could be doing anything it felt like; if it runs a service it wouldn't even need to be started, simply having it installed would be enough.
Or going even further, being able to mark whole repos as valid / not valid sources for automatic addon updates, all of the installed repo but the official one being marked as not auto-updatable by default, if the user activates auto update for a given repo, a warning should be given about this security issue...