Click to play, the next big problem for many smaller, companies

Gijs Kruitbosch gijskruitbosch at gmail.com
Tue Sep 10 15:54:23 UTC 2013


On 10/09/13 05:26 , Jesse Ruderman wrote:
> On Mon, Sep 9, 2013 at 3:47 PM, Larissa Co <lco at mozilla.com> wrote:
>> We are planning on distinguishing between regular plugins
>> like yours, and plugins we believe are particularly vulnerable. For those
>> plugins, we'll make it harder for the user to allow the plugin long term.
> Perhaps Firefox could also consider whether the plugin was loaded by
> the main page or by a third-party iframe. Stealthy attacks involving
> ad networks are likely to be the latter.
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
At least 2-3 years ago, when I still worked for a web company that used 
ads, a lot of ad networks (as well as stats/tracking networks, which 
were sometimes required by yet other ad networks to have "independent" 
verification of visiting numbers etc.) just used a script that needs to 
be included with a script tag, often enough outside of iframes in the 
real world. They do sometimes then create their own iframes, but if the 
network is compromised, obviously the compromise needn't be limited to 
those iframes.

I don't know that we could reliably detect what created a plugin 
<object>, and even if we added third-party detection there, depending on 
how we do it it might break legitimate things like google's CDN hosting 
of swfobject.

:-(

~ Gijs



More information about the firefox-dev mailing list