Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

AMO Validator Bypass Proof of Concept

This is a trivial Firefox extension that performs three potentially malicious tasks but would nevertheless be automatically signed by the validator.

The validator cannot be improved to catch these behaviors. As a Mozilla engineer says:

There is simply no way to detect malicious code like this in a dynamic language like JS through static analysis of the source code.

For full context, see Automated Scanning of Firefox Extensions is Security Theater.


  1. git clone
  2. Running a dev build? Don't forget to set xpinstall.signatures.required to false! Fortunately that wouldn't be necessary once this was automatically signed…
  3. Create a text file named in your Firefox profile's extensions directory containing the path to the cloned repo.
  4. Start Firefox.


Data exfiltration

  1. Start netcat listening on a local port:
% nc -l 11111
  1. Load or any Basic Auth–protected site and enter any username and password.

Your Base64-encoded username and password should show up in the netcat output. This could be any other sensitive data, and it could just as easily be POSTed to a remote server.

Local process execution

(The default executable is available only on OS X. Feel free to sub in another program for your platform.)

An OS X system dialog should appear, spawned via the osascript command-line tool.

Remote code execution

  1. Start an HTTP server in the remote directory of the local repo:
% cd remote
% python -m SimpleHTTPServer 11112
  1. Load

An alert will appear showing the path to the Firefox profile directory. This alert is generated by unvalidated remote code that runs with full privileges.


Via amo-validator:

% ./
% amo-validator --selfhosted -v ../bypass.xpi

Detected type: Extension/Multi-Extension
All tests succeeded!

Notice:	Add-on appears not to be localized
The add-on doesn't have any locale entries in its chrome.manifest file, which suggests that it may not be localized.
	Tier:	4
	File:	chrome.manifest

Via addons-validator

% ./
% addons-validator ../bypass.xpi

Validation Summary:

errors          0
notices         0
warnings        0

Via the online validator:

Your submission passed validation and will be automatically signed.


No description, website, or topics provided.






No releases published


No packages published