Closed Bug 1618234 Opened 5 years ago Closed 5 years ago

Dire extensions insecurity situation

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: aros, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

I'm pretty much appalled by how Mozilla handles extensions nowadays: i.e. pretty much anyone can publish anything on https://addons.mozilla.org/firefox/ and it will be featured in the extension store under a quite benign remark:

"This is not a Recommended Extension. Make sure you trust it before installing".

  1. How the average user who has zero knowledge of IT, JavaScript, security, programming languages, etc. etc. is supposed to trust anyone or anything? Based on what? Even when the author of an extension is a known figure, what if he has sold/lost access to his Firefox account and a bad actor has pushed an update with "bad" features?

  2. Even if you're a programmer but not necessarily good at JavaScript, how are you supposed to read the source code of an extension and be sure it doesn't do anything nefarious?

  3. Why does Mozilla even list such extensions on its official website which is supposed not to contain any malware disguised as a useful extension?

Case in point: Google has already removed thousands of "bad" add-ons from its Chrome store. I'm not entirely sure all my Firefox extensions are clean and haven't already grabbed all my passwords and sent them to someone.

This situation needs to be addressed. Now.

Either Mozilla creates a whole separate website where unchecked extension are listed under e.g. such a note "This website contains extensions which have not been reviewed/formally verified by the Mozilla staff and thus they can be used to steal your passwords or money or do pretty much anything to your web data".

Another option which is what I'm personally looking for is this one: Firefox allows the user to create a list of secure web sites for which only certain trusted extensions are allowed to run.

The reason why I'm over concerned is that right now I have at the very list two extensions which contain literally megabytes of obfuscated/compressed JavaScript code and there's no way on Earth to even check if they are not malware (1. https://addons.mozilla.org/en-US/firefox/addon/grammarly-1/ 2. https://addons.mozilla.org/en-US/firefox/addon/linguix/). One of my online profiles have recently been hacked (for the first time ever in my 25+ years of using the web) and I still cannot figure out how it's happened because my PC is 100% clean from malware and I can only think of something which is running in my Firefox profile with the "Access all websites data" permission.

Speaking of this permission. It surely sounds like any extension with such a permission is able to fetch passwords from all the password forms I'm encountering. Is that true? It surely looks like so. Is it possible to create a new permission, e.g. "Read your passwords" and only allow certain extensions do that? It might not be possible though as extensions can alter HTML DOM any way they want and the browser is none the wiser.

In short, I really really dislike what's going on with Firefox (and Chrome) extensions (add-ons). Ever since you've given up on XUL and migrated to WebExtensions it looks like you've given up on formally verifying most submissions and I'm very very concerned about the safety of my data.

Please do something about it.

This is not a discussion for Firefox user support forum. It's a security bug report. Please take it seriously.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Product: Firefox → WebExtensions

(In reply to Artem S. Tashkinov from comment #0)

This is not a discussion for Firefox user support forum. It's a security bug report. Please take it seriously.

Please take a look at the bug reporting guidelines: https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines
Your report is way too general for anybody to be able to take any concrete action on it. In spite of your remark above, the most practical way to get additional clarity on this topic would be to start a thread on the dev-addons mailing list. Nevertheless, to address a few specific questions:

Speaking of this permission. It surely sounds like any extension with such a permission is able to fetch passwords from all the password forms I'm encountering. Is that true? It surely looks like so. Is it possible to create a new permission, e.g. "Read your passwords" and only allow certain extensions do that? It might not be possible though as extensions can alter HTML DOM any way they want and the browser is none the wiser.

Extensions can use "content scripts" which allow them to run a bit of javascript in the context of a web page. Given the nature of javascript and the DOM APIs, there are a virtually unlimited number of ways a malicious extension that has access to a given page could get at a password in a form on the page. The idea of locking down scripts sounds great in theory but in reality it is not practical. If you have specific ideas about how this could be done, I'm sure many people would be eager to hear them.

In short, I really really dislike what's going on with Firefox (and Chrome) extensions (add-ons). Ever since you've given up on XUL and migrated to WebExtensions it looks like you've given up on formally verifying most submissions and I'm very very concerned about the safety of my data.

This is another thing (manually reviewing the source code of every extension) that isn't practical. This is a simple function of the volume of extension submissions that exist and the resources it would require to manually review them all.

I don't mean to dismiss your concerns, they're legitimate, but specific practical ideas are more useful than general statements. Also keep in mind that Chrome and Firefox are both working on a major revision to the extension architecture (also known as "manifest v3"). It may not address your big concerns directly, but providing finer-grained user control over which web sites an extension may access is part of that effort.

We have several projects in various stages, addressing this issue, but this is not a problem that can be solved with a magic wand. We're trying to balance the need for user agency by providing powerful APIs and abilities to customize user's experience of the Web, while providing a more curated list of extensions though the Recommended Programme for mostly mainstream needs, and several other initiatives along that spectrum.

As Andrew explained, this is too broad and not actionable. If you have a concrete issue, or an idea how to improve the situation (that doesn't translate to hiring hundreds of additional reviewers), feel free to raise it through appropriate channels.

Closing this as incomplete.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.