1581417 - Measures against extension-originated leaks detailed in DataSpii report

Status: RESOLVED DUPLICATE of bug 1578284

(WebExtensions :: Untriaged, enhancement)

Description

[sahal8020@tutanota.com]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Read DataSpii report here https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/

Actual results:

I was appalled and found no public response from Mozilla team.

Expected results:

Read an acceptable response and commitments from people behind my favorite browser. For example:

• Provide an option to turn an extension to be only local (no web access) at time of installation with ability to turn that on/off from Add-ons Manager (with adequate risk/breaking warnings on both ways).
• Give higher priority to these tickets:
  -- Extend optional permissions (https://bugzilla.mozilla.org/show_bug.cgi?id=1458585)
  -- Users can control host permissions (https://bugzilla.mozilla.org/show_bug.cgi?id=1497075)
  -- Permissions API events (https://bugzilla.mozilla.org/show_bug.cgi?id=1444294)
• Provide a Permissions page listing each one, an explanation, risk associated, etc. and which extension is using it. Something similar but better than the one provided by this extension: https://addons.mozilla.org/en-US/firefox/addon/permission-inspector/.
• Stuff related to extension review process but I'll stop here so as to not get kicked out this soon since this is too much.

Thanks!

Comment 1

[Virginia (please send need info request to Brindusa Tot)]

Hi sahal8020,

Thanks for reporting this as an enhancement.

I'll add a product and component so the corresponding team can take a look at this and advice. If you consider this is not the right component, feel free to change it.

Regards,

Comment 2

[Caitlin Neiman [:caitmuenster]]

Mozilla has blocked the extensions that were found to be in violation of our policies.
​
Extension security is important to Mozilla, and our ecosystem has undergone several shifts over the years in response to changing threats.
​
In response, our recent focus has been on limiting the damage malicious extensions can do, helping users discover recommendations [1] that we vet and monitor, helping users understand the risks that come with installing extensions, and making it easier for users to report potentially malicious extensions to us.
​

1. https://support.mozilla.org/en-US/kb/recommended-extensions-program
   ​
   Additionally, we are taking a look at how we ask for and grant host permissions as part of our Manifest version 3 work, so I'm closing this as duplicate of bug 1578284.