Impact
Malicious websites could feed keys to Tridactyl which it would execute as if a user had pressed them, outside of the command line. If the native messenger was installed, an attacker could execute arbitrary programs by sending the string mpv <data URI here> to the user's shell. See this gist for a third-party example of how it could have been exploited.
We believe that the vulnerability was not known by any bad actors.
All Tridactyl versions released between September 2018 and June 14th 2019 were affected, i.e. 1.14.0 <= v <= 1.14.10 and 1.15.0.
Patches
The majority of our users already have the patch - you can check easily on the new tab or with :version. Update to 1.14.12+ (for Firefox ESR) or 1.16.0+ by going to about:addons in Firefox, clicking the cog in the top right, and then clicking "Update". Once Tridactyl has downloaded you'll need to restart Firefox. It will look as if the progress bar is stuck - just restart.
Workarounds
Remove the native messenger - check the output of :! pwd and then delete that directory.
References
bovine3dom's writeup
The GitHub issue
The patch that fixed it
For more information
If you have any questions or comments about this advisory:
Impact
Malicious websites could feed keys to Tridactyl which it would execute as if a user had pressed them, outside of the command line. If the native messenger was installed, an attacker could execute arbitrary programs by sending the string
mpv <data URI here>to the user's shell. See this gist for a third-party example of how it could have been exploited.We believe that the vulnerability was not known by any bad actors.
All Tridactyl versions released between September 2018 and June 14th 2019 were affected, i.e. 1.14.0 <= v <= 1.14.10 and 1.15.0.
Patches
The majority of our users already have the patch - you can check easily on the new tab or with
:version. Update to 1.14.12+ (for Firefox ESR) or 1.16.0+ by going toabout:addonsin Firefox, clicking the cog in the top right, and then clicking "Update". Once Tridactyl has downloaded you'll need to restart Firefox. It will look as if the progress bar is stuck - just restart.Workarounds
Remove the native messenger - check the output of
:! pwdand then delete that directory.References
bovine3dom's writeup
The GitHub issue
The patch that fixed it
For more information
If you have any questions or comments about this advisory: