Google Browser Sync

So Google’s recent Browser Sync tool is pretty neat. It allows you to sync your Firefox sessions between computers, which is pretty nice for a guy that frequently moves between 3-4 computers. The only curious thing I noticed when I installed it, was that it installed from dl.google.com even though I hadn’t added that to my list of exceptions - photographic evidence here:

My current list of exceptions:

Firefox Exceptions

The browser sync install dialog:

Google Browser Sync Install
So how did Google achieve this? I was quite suspicious at first, but it turns out it’s simply a little collaboration with Mozilla. There is a browser sync page on the Mozilla addons site, but all it does is redirect the user to Google’s xpi for installation, which allows Google to still host the browser sync install file, but not require the user to add their servers to the exceptions. Here’s the content of the Google Browser Sync addon page:

< html>
< body onload="window.location.href='http://toolbar.google.com/firefox/extensions/toolbar/google-browsersync.xpi'">
body>
html>

Cute, huh? I haven’t decided yet whether I’m upset by this or not. They haven’t bypassed the Firefox security restrictions, but they have definitely misled me…

Update: Yea, RSnake is right (see 2nd comment). Combined with an XSS on a site that’s in your trusted exception list, this could probably allow an attacker to install XPI’s from arbitrary sites if they so desired. Roxor. I’m curious if the Mozilla addon page allows JavaScript for developers - I’m assuming not, but you what assuming does…

Continue reading » · Written on: 12-11-06 · 4 Comments »

4 Responses to “Google Browser Sync”

  1. Ziru Zhu wrote:

    I would blame Mozilla more on this.

     December 12th, 2006 at 12:53 am
  2. ha.ckers.org web application security lab - Archive » Firefox Allows Any Site To Inject XPI Via XSS Via Delegation wrote:

    [...] Apparently this is true, although I can’t for the life of me figure out why this should be allowed. I ran across an article at DCortesi’s site talking about how Firefox has delegated their security to Google for installation of the Google Sync XPI. Pretty scary actually. What this means is that if an XSS hole were ever found in any whitelisted domain (including XSS in their server, MITM through your proxy server etc…) Firefox will happily allow you to download xpi files. I’ve talked with a few people about this off and on in a different context of loading an xpi file into a data: directive on the whitelisted domain. Yah, that’s scary. This is worse. [...]

     December 13th, 2006 at 1:49 pm
  3. lauriannjane wrote:

    Hey Damon, ever since you moved out there I’ve read one article after another on big storms, monsoons, etc. You windstorm of yesterday made front page news on our Pittsburgh Post Gazette. Does this have anything to do with your arrival there??

     December 16th, 2006 at 9:05 am
  4. Damon wrote:

    Well it seems to happen whenever I leave Seattle! So I guess that means I should stay in town more often.

     December 16th, 2006 at 1:32 pm

Leave a Reply