X
Tap here to go to the mobile version of the site.

ஆதரவு மன்றம்

Do Firefox add-ons have full access to passwords etc?

  • 6 replies
  • 3 இந்த பிரச்னைகள் உள்ளது
  • Last reply by cor-el
பதிவிடப்பட்டது

I use a master password in Firefox password manager to protect log-in details. Yet I have heard that add-ons have full access to passwords and other data. Is that true?

I use Linux Lite, Ubuntu-based (a very nice OS, by the way).

I use a master password in Firefox password manager to protect log-in details. Yet I have heard that add-ons have full access to passwords and other data. Is that true? I use Linux Lite, Ubuntu-based (a very nice OS, by the way).

தீர்வு தேர்ந்தெடுக்கப்பட்டது

Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.

Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.

Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.

Read this answer in context 3

Additional System Details

பயன்பாடு

  • User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0

கூடுதல் தகவல்

jscher2000
  • Top 10 Contributor
8758 தீர்வுகள் 71656 பதில்கள்
பதிவிடப்பட்டது

தீர்வு தேர்ந்தெடுக்கப்பட்டது

Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.

Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.

Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.

Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data. Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., [https://developer.mozilla.org/Add-ons/SDK/High-Level_APIs/passwords Password Manager access], [https://developer.mozilla.org/Add-ons/Security_best_practices_in_extensions#Handling_of_logins_and_passwords Using Password Manager considered a best practice]) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages. Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.
cor-el
  • Top 10 Contributor
  • Moderator
17522 தீர்வுகள் 158442 பதில்கள்
பதிவிடப்பட்டது

Once you enter the master password then you login to the software security device and the passwords are unlocked.

You can log out by clicking Cancel when you get a MP dialog (Show Passwords) or use the Log Out button in the device manager (Options/Preferences -> Advanced -> Security Devices).

Once you enter the master password then you login to the software security device and the passwords are unlocked. You can log out by clicking Cancel when you get a MP dialog (Show Passwords) or use the Log Out button in the device manager (Options/Preferences -> Advanced -> Security Devices).
பதிவிடப்பட்டது

உதவிகரமான பதில்

jscher, thanks, your reply sent me to the FF add-ons store where I looked up one of the add-ons which I already have installed. There was an orange triangle ! which opens a small window with the following:

"Permissions [Warning]

Some add-ons ask for permission to perform certain functions. Since you’re in control of your Firefox, the choice to grant or deny these requests is yours.

Please note this add-on uses legacy technology, which gives it access to all browser functions and data without requesting your permission."

Which confirms this add-on can access my data. As you say, maybe this will not be the case with newer add-ons. I may not stay around FF long enough to find out!

While I like FF I have to say its lack of up-front communication of such glaring vulnerabilities is a disgrace. At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set. That is not necessarily obvious to a new user, even intelligent ones, and we shouldn't have to stumble upon such vital information as we go along!

Meantime, I will search for a secure browser.

jscher, thanks, your reply sent me to the FF add-ons store where I looked up one of the add-ons which I already have installed. There was an orange triangle ! which opens a small window with the following: "Permissions [Warning] Some add-ons ask for permission to perform certain functions. Since you’re in control of your Firefox, the choice to grant or deny these requests is yours. Please note this add-on uses legacy technology, which gives it access to all browser functions and data without requesting your permission." Which confirms this add-on can access my data. As you say, maybe this will not be the case with newer add-ons. I may not stay around FF long enough to find out! While I like FF I have to say its lack of up-front communication of such glaring vulnerabilities is a disgrace. At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set. That is not necessarily obvious to a new user, even intelligent ones, and we shouldn't have to stumble upon such vital information as we go along! Meantime, I will search for a secure browser.

linuxuser23 மூலமாக திருத்தப்பட்டது

jscher2000
  • Top 10 Contributor
8758 தீர்வுகள் 71656 பதில்கள்
பதிவிடப்பட்டது

linuxuser23 said

Meantime, I will search for a secure browser.

How is this a problem with your browser? If you do not want add-ons to access your data, either do not install add-ons or do not save sensitive data in your browser.

Or rely on a trusted intermediary to check them. As I mentioned, the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system. If you do not trust them to do that well, see the previous paragraph.

At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set.

Without a master password, your login data can be extracted by any person or program with access to your system. See: Use a Master Password to protect stored logins and passwords. How would you recommend getting that information to users?

''linuxuser23 [[#answer-1009658|said]]'' <blockquote>Meantime, I will search for a secure browser. </blockquote> How is this a problem with your browser? If you do not want '''add-ons''' to access your data, either do not install add-ons or do not save sensitive data in your browser. Or rely on a trusted intermediary to check them. As I mentioned, the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system. If you do not trust them to do that well, see the previous paragraph. <blockquote> At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set. </blockquote> Without a master password, your login data can be extracted by any person or program with access to your system. See: [[Use a Master Password to protect stored logins and passwords]]. How would you recommend getting that information to users?
பதிவிடப்பட்டது

உதவிகரமான பதில்

To jscher,

your reply comes across as quite arrogant and dismissive, and I am not impressed.

You say " the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system", but I can only assume they do this at the time the add-on is accepted for listing, but not on a continual 24/7 basis. Therefore my point was reasonable and logical.

As regards how Firefox might get master password information to users I have already offered suggestions in my earlier post, which you have quoted.

Meantime, I have found a solution.

Please refrain from responding if you cannot do so in a respectful manner.

To jscher, your reply comes across as quite arrogant and dismissive, and I am not impressed. You say " the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system", but I can only assume they do this at the time the add-on is accepted for listing, but not on a continual 24/7 basis. Therefore my point was reasonable and logical. As regards how Firefox might get master password information to users I have already offered suggestions in my earlier post, which you have quoted. Meantime, I have found a solution. Please refrain from responding if you cannot do so in a respectful manner.
cor-el
  • Top 10 Contributor
  • Moderator
17522 தீர்வுகள் 158442 பதில்கள்
பதிவிடப்பட்டது

All you need to access the passwords is some simple code in the Browser Console (you may be prompted for the MP if you haven't entered it yet):

var pwdmanager = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
signons = pwdmanager.getAllLogins({});
console.log(JSON.stringify(signons));
All you need to access the passwords is some simple code in the Browser Console (you may be prompted for the MP if you haven't entered it yet): <pre><nowiki>var pwdmanager = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager); signons = pwdmanager.getAllLogins({}); console.log(JSON.stringify(signons));</nowiki></pre>