Do Firefox add-ons have full access to passwords etc?
I use a master password in Firefox password manager to protect log-in details. Yet I have heard that add-ons have full access to passwords and other data. Is that true?
I use Linux Lite, Ubuntu-based (a very nice OS, by the way).
Chosen solution
Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.
Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.
Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.
Read this answer in context 👍 3All Replies (6)
Seçilmiş Həll
Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.
Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.
Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.
Once you enter the master password then you login to the software security device and the passwords are unlocked.
You can log out by clicking Cancel when you get a MP dialog (Show Passwords) or use the Log Out button in the device manager (Options/Preferences -> Advanced -> Security Devices).
jscher, thanks, your reply sent me to the FF add-ons store where I looked up one of the add-ons which I already have installed. There was an orange triangle ! which opens a small window with the following:
"Permissions [Warning]
Some add-ons ask for permission to perform certain functions. Since you’re in control of your Firefox, the choice to grant or deny these requests is yours.
Please note this add-on uses legacy technology, which gives it access to all browser functions and data without requesting your permission."
Which confirms this add-on can access my data. As you say, maybe this will not be the case with newer add-ons. I may not stay around FF long enough to find out!
While I like FF I have to say its lack of up-front communication of such glaring vulnerabilities is a disgrace. At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set. That is not necessarily obvious to a new user, even intelligent ones, and we shouldn't have to stumble upon such vital information as we go along!
Meantime, I will search for a secure browser.
Modified
linuxuser23 said
Meantime, I will search for a secure browser.
How is this a problem with your browser? If you do not want add-ons to access your data, either do not install add-ons or do not save sensitive data in your browser.
Or rely on a trusted intermediary to check them. As I mentioned, the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system. If you do not trust them to do that well, see the previous paragraph.
At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set.
Without a master password, your login data can be extracted by any person or program with access to your system. See: Use a Primary Password to protect stored logins and passwords. How would you recommend getting that information to users?
To jscher,
your reply comes across as quite arrogant and dismissive, and I am not impressed.
You say " the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system", but I can only assume they do this at the time the add-on is accepted for listing, but not on a continual 24/7 basis. Therefore my point was reasonable and logical.
As regards how Firefox might get master password information to users I have already offered suggestions in my earlier post, which you have quoted.
Meantime, I have found a solution.
Please refrain from responding if you cannot do so in a respectful manner.
All you need to access the passwords is some simple code in the Browser Console (you may be prompted for the MP if you haven't entered it yet):
var pwdmanager = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager); signons = pwdmanager.getAllLogins({}); console.log(JSON.stringify(signons));