Mozilla needs to adjust new review process for Firefox add-ons
Mozilla switched to a new Firefox add-ons review system recently which reduces the time it takes before extensions are listed on Mozilla AMO (the official Firefox add-ons store).
Firefox add-ons are scanned automatically when developers upload them, and when the add-ons pass the checks, are published on the website.
Mozilla employees and volunteers will continue to review all add-ons and add-on updates manually, but that happens after the publication of the add-on.
This means that there is a period of time in which add-ons are available for download and installation, or automatic update, in which they have only been vetted by automation.
A first batch of add-ons with mining scripts included was detected and reported recently. These add-ons were publicly available on Mozilla AMO, and have since been removed by Mozilla.
The add-ons in this case revealed the integration of mining scripts in the description, and that made detection relatively easy.
Mozilla's system is still better than that of Google Chrome, as Google does not manually review extensions for Chrome unless they are flagged for review.
The past years have shown that automation is not enough when it comes to protecting Chrome users from malicious, spying or otherwise problematic browser extensions. It seems likely, and the mining script extensions seem to confirm that, that Mozilla's automated system won't be 100% bulletproof either.
Incidents like this one paint the new WebExtensions system in a bad light, considering that it was advertised as being safer than the previous system. This is the case, as legacy add-ons could have done much worse if Mozilla would have implemented an automatic system back then already.
Here is what I think needs to be done to adjust the system:
- Mozilla needs to mark extensions that have not been reviewed manually. There is no distinction currently between add-ons that have been reviewed manually, and those that were reviewed automatically only up to that point.
- Firefox needs an option to block extension updates unless they have been reviewed manually.
Other options that Mozilla may want to consider include limiting the exposure of extensions that have been reviewed automatically only, or whitelisting very popular extensions from trusted developers only.
It seems highly unlikely that Mozilla will return to the manual review process for all extensions. While I would love to see that happen, as it is a big advantage over how Google handles things, I cannot see that happening.
Chrome is painted in a bad light time and time again when extensions manage to slip by the Store's automatic detection system, and it looks as if Firefox is heading the same way in this regard, maybe with faster responses to these incidents.
Now You: How would you handle this?Advertisement