A wave of malware add-ons hit the Mozilla Firefox Extensions Store - gHacks Tech News

A wave of malware add-ons hit the Mozilla Firefox Extensions Store

If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions.

Extensions like Adobe Flash Player or ublock Origin Pro are listed in the Mozilla AMO store currently. These have no users at the time of writing as they are brand new and they appear to have been created and uploaded by random users (Firefox user xyz).

firefox extensions spam

The extensions have no description and they require access to all data for all websites. When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file.

The actual extensions have different file sizes and their functionality may differ as well. All have in common that they listen to certain user inputs and send these to a third-party web server.

The uBlock copycat extension sends form data to a web server, the first Adobe Flash Player copycat that I checked logged all keyboard inputs and did the same.

Mozilla will remove the extensions once it notices them. The problem here is that this happens after the fact. The spam extensions may turn up in user searches and they also turn up when you sort by recent updates.

Mozilla switched from a "review first, publish second" to a "publish first, review second" model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program.

Google does the same thing but does not even review extensions manually after publication. The process leads to faster publications but also opens the door for spam and malicious extensions.

Closing Words

Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla's AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process.

Google's Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome's popularity and the fact that Google does not review any extensions manually by default play a role here.

While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a "manual reviewed" batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository.

Now You: What do you think companies like Google or Mozilla should do?

Summary
A wave of malware add-ons hit the Mozilla Firefox Extensions Store
Article Name
A wave of malware add-ons hit the Mozilla Firefox Extensions Store
Description
If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. ard said on May 29, 2019 at 6:56 am
    Reply

    I am very disappointed that Firefox indeed does not check extensions before including in their library. Considering that FF, claims to be security and privacy driven , it is the more disappointing that FF like Google have the “publish first, check later” approach.

    FF shall change this, to a “check first, publish later” method. and most of all this is a warning for each web user , that nothing is save , check it all yourself; if you can that is.

    1. Benjamin said on May 29, 2019 at 8:06 am
      Reply

      …Situations like this are simply the age old problem of whitelists and blacklists and how to maintain them. Either we live in a world where we trust each other basically or we don’t… one can fully liberalise everything and call it individual freedom… unfortunately when the bad intentions win…

  2. John C. said on May 29, 2019 at 7:55 am
    Reply

    Well, I guess the obvious solution would be for Mozilla to review the extensions before listing them. However, there might be some reason why they won’t want to do this.

    1. tyftyf said on May 29, 2019 at 9:48 am
      Reply

      Lazy

    2. Anonymous said on May 29, 2019 at 5:31 pm
      Reply

      The extension reviewers has been dwindling for years. Most of them left when Mozilla ditched the legacy extensions. That’s why Mozilla has no choice but to automate the submission process

  3. Benjamin said on May 29, 2019 at 7:59 am
    Reply

    Just to understand what legalised SPAM i.e. protected by the neoliberal state can do to you read this article here in the Swiss Media Tages Anzeiger… a few apps and the people behind it maybe as slimy and disgusting as the tools and legal clearance of the professionals but what they do in comparison is nothing. One of the Apps that brings people and unsolicited advertising together belongs to the state owned (i.e.public ownership) telecoms corporation Swisscom.
    This in german language:
    https://www.tagesanzeiger.ch/zuerich/stadt/am-hauptbahnhof-buhlen-840-beacons-um-die-smartphones-der-passanten/story/10989198

    As is usual in modern neoliberal states (the Android is nothing more than an electronic variant) freedom often means a free way to cheat well meaning trusting people on a large legalised but absolutely undemocratic scale.

  4. Klaas Vaak said on May 29, 2019 at 9:09 am
    Reply

    Mozilla switched from a “review first, publish second” to a “publish first, review second” model in 2017.

    Another one of their distinguishing features down the drain, with the result that this is another step towards a more Chrome-like browser.
    One may seriously wonder what goes through the Mozilla management team’s collective mind when they keep destroying unique, distinguishing features.

    1. 99 said on May 29, 2019 at 11:34 am
      Reply

      You shouldn’t blame Mozilla, but the abusers of the Add-on Policies
      and Mozillas
      Developer Agreement

      It’s easy to nag and not present a feasible proposal on how to stop this abuse. Screaming and calling for a human review is cheap and not the solution. But Mr. Vaak is allowed to be the first to sign up and take over this task.

      Hurry up, we all desperately await the boost on Blocked Add-ons in the future.

      1. John Fenderson said on May 29, 2019 at 6:23 pm
        Reply

        @99: “You shouldn’t blame Mozilla, but the abusers of the Add-on Policies
        and Mozillas Developer Agreement”

        Policies and agreements are meaningless if they aren’t being enforced.

      2. 99 said on May 29, 2019 at 8:12 pm
        Reply

        “… if they aren’t being enforced.”

        What do you suggest?
        More policeman at Mozilla’s headquarter to protect with their batons our FREEDOM to customize Firefox?

      3. John Fenderson said on May 30, 2019 at 5:09 pm
        Reply

        @99: I suggest that Mozilla either engage in actual vetting of extensions in their store, or stop requiring extension signing and claiming that they are keeping extensions safe.

      4. Stan said on May 29, 2019 at 6:36 pm
        Reply

        “You shouldn’t blame Mozilla”

        Er yes we should, this crap has been going on since before the Conduit Toolbar debacle, the current AMO ‘administration’ (no ones been fired!!?) also argued that there was no problem with a themer bundling the Ask, toolbar/search engine with his themes.

    2. user17843 said on May 29, 2019 at 12:22 pm
      Reply

      Everything is probably well-intended to a certain extent. If you live inside a bubble, without reflection, your decisions will soon be inside a vacuum, where you can’t really understand what you are doing.

      That’s the case for this management. They are not even out ouf touch with the community, but according to mozilla employees they are even out of touch with a significant percentage of the workforce at mozilla.

      Feedback is always painful, especially if you have ignored everyone for years, so theres only one easy route for them, that is, ignoring everyone even harder.

      One reason this detachement from users and employees is even possible is the unbelievable mass scaling of the web from 2000-2020.

      So the income of big tech companies only rises, and they do not have to face their customers, so they don’t get the feedback.

      Second, mozilla employees work on many places world wide, and due to the fact that the foundation controls the corporation, there’s another level of detachment for the leadership.

      If I would control Mozilla I would dissolve the foundation, fire all people except those who work in one of the main HQs (with 1000 employees they behave like they need 10 different head quarters), and switch to Blink. Then have around 600 employees left, which would give the company a couple of years to find a solution to stay alive in the coming decade.

      Unfortunately the foundation controls mozilla, their interest is in opposing a streamlined organization, which is probably why Brendan Eich got fired, as he wanted to change and optimize everything in the company.

      On the other hand, many employees probably like it the way it is currently, as it is probably an awesome and relaxed atmosphere at mozilla if you like the values they represent.

      1. Lord-Lestat said on May 29, 2019 at 12:44 pm
        Reply

        @user17843 Switching to Blink? This would be utter stupidity. Google’s engine is cancer material. None with a sane mind should support and spread Google’s monopoly over the browser-market! The more different engines are around, the better it is for technology-diversity.

        Google and their Chromium engine are the reason of the sad state of browsers right now. Everyone sees how Google is successful and wants to have a piece of the pie, removing their own unique strength and adopting more of the (Google/Apple) same. They make themselves extinct and the only one who is able to lean back, watch and smile while the competition is terminating itself – is Google!

        So no, we do need not more but instead less Google and especially less Blink!

      2. user17843 said on May 29, 2019 at 1:02 pm
        Reply

        well there are multiple possibilities, like forking WebKit. why reinvent the wheel when apple has already done all the work. If they forked WebKit or Blink there would be no future dependence.

      3. Iron Heart said on May 29, 2019 at 1:04 pm
        Reply

        @Lord Lestat

        > Google’s engine is cancer material.

        No, it’s not. Blink is a rendering engine, i.e. it renders websites. The spyware parts of Chrome have nothing at all to do with the rendering engine. I beg to differ.

        > None with a sane mind should support and spread Google’s monopoly over the browser-market!

        I have no problem with browsers like Ungoogled Chromium. Chromium is 100% open source, one can fork it. Some very privacy-friendly browsers are based on Chromium.

        > Everyone sees how Google is successful and wants to have a piece of the pie, removing their own unique strength and adopting more of the (Google/Apple) same.

        Or maybe it’s because the development of browser engines is insanely expensive these days, and only few companies can afford their own engine? The small browser projects all use open source engines developed by the big corporations. It might be news to you, but browser development can’t be done by hobbyists these days. So competitor engines to Blink being developed from scratch by hobbyists don’t even exist these days.

        > They make themselves extinct and the only one who is able to lean back, watch and smile while the competition is terminating itself – is Google!

        You can fork the Chromium code. Ungoogled Chromium does that continually by removing the spyware parts and by only including web rendering / Blink improvements. I can see why one wouldn’t want to use Chrome itself, though.

      4. John Fenderson said on May 31, 2019 at 5:30 pm
        Reply

        @Iron Heart: “It might be news to you, but browser development can’t be done by hobbyists these days.”

        Sure it can. Browser development isn’t some sort of black art, and you don’t have to implement every feature of the major browsers or every item in the HTML5 standard in order to have a useful browser.

      5. plb4333 said on May 30, 2019 at 9:46 am
        Reply

        100% agreed. Well said

      6. 99 said on May 29, 2019 at 1:19 pm
        Reply

        If I would control Mozilla

        Why don’t you coach your national soccer team instead? Oh, I see there are a gazillion wannabe coaches already.

        The daily challenge is, how to cope abuse of the Browser Extension Ecosystem and not how to reform a foundation.

      7. user17843 said on May 30, 2019 at 12:54 am
        Reply

        “Why don’t you coach your national soccer team instead?”

        I do that in my spare time when I’m not busy lecturing international corporations.

      8. 99 said on May 30, 2019 at 9:20 am
        Reply

        @user17843 +1๏̯͡๏1

      9. VioletMoon said on May 29, 2019 at 5:43 pm
        Reply

        @ user17843–“First, though, there’s a matter that we should all be clear about: Brendan Eich was not fired.”

        https://www.forbes.com/sites/quora/2014/04/11/did-mozilla-ceo-brendan-eich-deserve-to-be-removed-from-his-position-due-to-his-support-for-proposition-8/#4b6574df2158

        Values? Hmmm . . . sounds like Mozilla, Inc. prefers public opinion and the march of the majority rather than independent thought that has nothing to do with the organization of a company or “optimization.” Individualism? No room at Mozilla, Inc. It’s the hypocrisy of such a stance–shove, shove, you think differently–because it’s discrimination at the most subtle level.

        As far as the add-ons mess, clearly everything is out-of-control at Mozilla–complete, utter chaos with no clear direction other than to throw more paint on the canvas and call it art for art’s sake.

      10. John Fenderson said on May 29, 2019 at 6:30 pm
        Reply

        @user17843:

        “They are not even out ouf touch with the community, but according to mozilla employees they are even out of touch with a significant percentage of the workforce at mozilla.”

        I agree. Even worse is that at the technical level, Mozilla has decided that telemetry is an adequate substitute for actually listening to and getting to know your customer base. That’s a myth, though. If all you have is telemetry data, you are almost guaranteed to draw incorrect conclusions.

        > If I would control Mozilla I would dissolve the foundation, fire all people except those who work in one of the main HQs (with 1000 employees they behave like they need 10 different head quarters), and switch to Blink.

        I could not disagree with either of those proposals more.

  5. Aris said on May 29, 2019 at 9:46 am
    Reply

    Remember back in the day when real full themes (not the lw-theme crap) and real add-ons (not the castrated WebExtensions) were a thing? It was not so long ago when add-on devs had to wait days, weeks or even month after uploading new add-on versions for those being “reviewed” and unlocked for the public. Mozilla claimed this had to be done for security purposes so no malicious code was secretly hiding within the theme or add-on. And what have we now? A crappy WebExtension system where no-one checks what gets offered to the public.
    Great job Mozilla!

    I’m glad I’m not developing any add-ons for Mozilla products anymore.

    My last one for Thunderbird, “CustomizMyBird”, will not get updated/rewritten for Thunderbird 68+. I moved away from Firefox on Windows and Android a while ago too.

    1. Klaas Vaak said on May 29, 2019 at 11:41 am
      Reply

      @Aris: what are you using as your browser on Windows now?

      1. Aris said on May 29, 2019 at 3:32 pm
        Reply

        On Windows: Vivaldi
        On Android: Kiwi

      2. Klaas Vaak said on May 29, 2019 at 3:34 pm
        Reply

        @Aris: thank you.

    2. Lord-Lestat said on May 29, 2019 at 12:25 pm
      Reply

      @Aris exactly. That is the issue.

      And Mozilla really has the guts to advertise Webextensions as fully secure and powerful. Just lie after lie. And they even are not twitching while telling it.

      Mozilla today are just… pathetic! Google really has taught them well!

      1. Iron Heart said on May 29, 2019 at 12:57 pm
        Reply

        > And Mozilla really has the guts to advertise Webextensions as fully secure and powerful. Just lie after lie. And they even are not twitching while telling it.

        Mozilla didn’t say that WebExtensions are “flawless” or the “holy grail” as you would put it. They merely said that they are more secure than legacy add-ons, which is objectively true, since they only have the ability to manipulate web content, while legacy add-ons can manipulate BOTH web content AND browser internals.

        “more secure” != “flawless”

        I beg to differ, otherwise only nonsense will be the result.

    3. luckz said on May 29, 2019 at 5:22 pm
      Reply

      Do you still use Thunderbird? Any other recommendations? I have a six digit number of mails in mine and it’s really not very fast, especially with old style mail files that require rewriting the file to add an email.

      tldr wondering what email client to use the next ten years

      1. John Fenderson said on May 31, 2019 at 6:46 pm
        Reply

        @luckz:

        I use Thunderbird, and I don’t see any reason why I won’t still be using it in 10 years. I have a similar number of emails as you do — but I don’t have Thunderbird actually manage them all. Instead, I set up a mailserver of my own that does that, and use Thunderbird to access the email there using IMAP.

        That may or may not a reasonable solution for you, but it works very well for me.

      2. Klaas Vaak said on June 4, 2019 at 5:13 pm
        Reply

        @John Fenderson: you stated

        I use Thunderbird, and I don’t see any reason why I won’t still be using it in 10 years.

        I was thinking that till recently to (been using it for 10 years now), but in view of the fact that the Lightening add-on was deleted with the last update (I lost all my tasks and events), and Mozilla’s recent antics with FF, I am not so sure anymore.

    4. Anonymous said on May 29, 2019 at 5:37 pm
      Reply

      Are you CTR’s author? I’ve been using your extensions for years. I just want to say thank you for that. I’m still using CTR in Waterfox.

      1. John Fenderson said on May 29, 2019 at 6:25 pm
        Reply

        @Anonymous:

        I’ll join this party. My need for the functionality of CTR is one of the reasons why I’m sticking with Waterfox.

      2. Aris said on May 29, 2019 at 7:43 pm
        Reply

        Correct. ;-)

        However, the deep/new changes in upcoming Waterfox 68 will cause CTR not to work anymore.

      3. John Fenderson said on May 30, 2019 at 5:11 pm
        Reply

        @Aris:

        Yes, that’s one of the reasons I’m not upgrading to 68.

        Thanks for your wonderful work, by the way!

  6. Lindsay said on May 29, 2019 at 10:02 am
    Reply

    “What do you think companies like Google or Mozilla should do?”

    Take some fucking responsibility for their shit. Pardon the French.

    1. Martin P. said on May 29, 2019 at 5:50 pm
      Reply

      Seconded wholeheatedly.

  7. Lord-Lestat said on May 29, 2019 at 11:53 am
    Reply

    I am impressed with how is it impossible to create malicious extensions/add-ons and making it impossible to upload them to the extension store – and all because of being created with Webextension technology. Shows the perfect and flawless security of this holy-grail of technology created by Google and adopted by Mozilla which can not be exploited at all as compared to XUL add-ons. Well done!

    Oh wait… hold on… Actually the opposite is the case! So much to Mozilla’s much loved catchword “security” :D

    1. Iron Heart said on May 29, 2019 at 12:54 pm
      Reply

      @Lord-Lestat

      It’s you again… Listen carefully: WebExtensions are absolutely able to manipulate web content, they are just unable to modify browser internals(!). That’s the reason why things like uBlock Origin still exist, while Tab Mix Plus doesn’t. Whenever the ability to manipulate web content exists, security issues can arise. That being said, legacy add-ons were able to manipulate web content AND browser internals. So WebExtensions are more secure in that regard, as they are more restricted. You definitely can’t take the ability to manipulate web content away, as that would make things like adblockers or NoScript impossible.

      > flawless security of this holy-grail of technology created by Google and adopted by Mozilla which can not be exploited at all as compared to XUL add-ons. Well done!

      It was never said that the technology can’t be exploited at all. WebExtensions can still manipulate web content, I have just explained why this ability is necessary. This ability can be misused in malicious ways. WebExtensions ARE more secure than legacy add-ons because they can’t change the behavior of browser internals, merely of web content.

      No software is 100% secure, even some of the most secure software worldwide has security flaws. That’s because human beings write the code, and they are not infallible. That being said, some software can be objectively more secure as compared to other software, and that’s definitely true for WebExtensions.

      The only thing you can really criticize is the lack of a proper review process, but you don’t do that at all… I do criticize said lack of care, by the way.

      Your irrational hatred of Mozilla and all they stand for leads to irrational statements like this, which can easily be debunked.

      Cheers.

      1. Lord-Lestat said on May 30, 2019 at 5:06 pm
        Reply

        @Iron Heart So speaks the Mozilla apologist.

        A non-skilled one who just installs/tries out randomly one’s was able to get malicious XUL based one’s and is able to get malicious Webextension one’s when finding such and installing such. The only real secure way out would be to exclude add-on technology in general.

        2)
        The question of “secure” or “speed” was never an issue for Mozilla before they started to compete with Chrome. It started when Google Chrome started to rise like a rocket and with Mozilla switching to the rapid-release update system as first step decided to make a change of concept to be “competitive” against Chrome (aka. absorbing the user groups which Chrome was targeting)

        Whatever – this is not a question about “security” – this is and stays a concept related question – And it started already with the first Australis version where the ability to modify the UI was to a large degree outsourced to add-on capabilities – something which further got restricted with version 57.

        There are only 2 concepts out there – The concept that features/customization is useful (uphold by Seamonkey, Waterfox classic, Vivaldi, Otter, Qutebrowser, Falkon, Pale Moon and others) and the concept that speed/minimalism is useful (uphold by Chrome, Safari, Edge, Opera-new and Mozilla-new and others)

        Keep your illusions about Mozilla and believe in them and their constant lies as much as you want. The point is and stays still valid. Mozilla does all of that to compete with Chrome and the hope to absorb most of Chrome users. And for this, features called “bloat” by non-demanding users have to go.

      2. Iron Heart said on May 30, 2019 at 7:28 pm
        Reply

        @Lord Lestat

        > A non-skilled one who just installs/tries out randomly one’s was able to get malicious XUL based one’s and is able to get malicious Webextension one’s when finding such and installing such. The only real secure way out would be to exclude add-on technology in general.

        Nonsense. WebExtensions are more restricted in what they can do, which is objectively a security advantage. While they can be misused in malicious ways, the potential is higher with XUL add-ons by virtue of their greater capabilities. Of course add-ons are required, but Mozilla tried to strike a good balance between power and needed functionality here. Why are you even arguing with me over that?

        > The question of “secure” or “speed” was never an issue for Mozilla before they started to compete with Chrome.

        Again, nonsense. Those were always on the radar. Mozilla did continuously improve Gecko even when Firefox was more “customizable” and security issues were also regularly fixed back in the day. WebExtensions contributed to enhance the browser’s security by limiting what extensions can do.

        > It started when Google Chrome started to rise like a rocket and with Mozilla switching to the rapid-release update system as first step decided to make a change of concept to be “competitive” against Chrome (aka. absorbing the user groups which Chrome was targeting)

        Citation needed, otherwise it’s only speculation on your part. The more likely reason for the rapid release schedule is the WWW moving at a very fast pace, compared to the early 2000s. Consequently, browsers need to support a broader range of functionality that needs to be maintained in a steady manner.

        > Whatever – this is not a question about “security” – this is and stays a concept related question

        No, it’s a question regarding security. Overcomplicating things doesn’t always lead to a proper solution.

        > And it started already with the first Australis version where the ability to modify the UI was to a large degree outsourced to add-on capabilities

        As far as I know, add-ons could basically do anything to Firefox during the FF 29-56 era, so I don’t know what you are talking about. And while Australis took away some forms of interface customization, it also introduced others. For example, a customizable main / hamburger menu which wasn’t present before.

        > There are only 2 concepts out there

        Black and white thinking at its finest. And no. All browsers try to strike a balance between power / functionality and ease of use.

        > Keep your illusions about Mozilla and believe in them and their constant lies as much as you want.

        WebExtensions are more secure by default, that’s objectively true and has nothing to do with what Mozilla might or might not claim.

        > The point is and stays still valid.

        …in your mind.

        > Mozilla does all of that to compete with Chrome and the hope to absorb most of Chrome users.

        Mozilla doesn’t have the financial resources to compete with Google. Google invests more money into Chrome’s marketing alone than Mozilla is able to invest into Firefox in its entirety, including cost-intensive development of the engine.

        > And for this, features called “bloat” by non-demanding users have to go.

        Firefox has removed some options and has introduced others. No software I know remains stale over the course of time, which is what you are demanding.

        Oh no, Microsoft has removed Windows Media Center from Windows 10! My bad! How dare they? – LOL.

        Lordy, let it be. It’s okay. And please, for the sake of peace, don’t add your political diatribe again. Thank you.

      3. Lord-Lestat said on June 1, 2019 at 1:37 am
        Reply

        @Iron Heart Just keep on deceiving people. A Mozilla apologist is and stays a Mozilla apologist no matter what they do.

        >Nonsense. WebExtensions are more restricted in what they can do, which is objectively a security advantage

        rambling rambling… security… rambling rambling… speed – Nothing new from you. Typical pro-Mozilla damage control :D Sure it would be the most securest way. No add-ons – No attack-vectors. But i see you are unable to count 1+1 together. Also, a browser works fine without add-ons.

        Mozilla tried to give simple users the toys what they demand – and removed the features simple users do not need. Mozilla – like Opera – targets simple users since Australis. Keep on rambling, but it has only in a minor way to do with security. This was a change of concept! Which was discriminating conservative power-Users.

        >Again, nonsense. Those were always on the radar.

        Not speaking about security fixes/patches – origin Mozilla kept features because they had at that time a pro-power user supporting concept, while Mozilla-new has a simple users-supporting concept

        >No, it’s a question regarding security.

        Mozilla damage control detected. It IS a concept related question and stays a concept related question, no matter how much you Mozilla apologists like to do damage control for them at every incident.

        >As far as I know, add-ons could basically do anything to Firefox during the FF 29-56 era, so I don’t know what you are talking about

        Seems reading is not your strength isn’t it? Firefox 22-28 did not need add-ons for UI customization. Australis removed this features and moved them to add-ons. Firefox 57 removed the majority of that UI customization abilities and the only powerful toy left is userchrome.css

        >Black and white thinking at its finest.

        Mozilla apologist arguing again. Actually there ARE only 2 concepts. Which can be seen with every different browser in action. The one’s who put their focus on features – and power-users/expert users and the one’s who put their focus on simplicity/design/speed

        >WebExtensions are more secure by default

        And they can still be abused like XUL based add-ons. No matter how much “secure” they are because of being restricted

        >…in your mind.

        Mozilla shill in action

        >Mozilla doesn’t have the financial resources to compete with Google.

        First thinking, then writing. Competing = fighting for the users which are using Google Chrome and not Firefox with “streamlining” their concept in favor of simple users.

        >Firefox has removed some options and has introduced others.

        Options which only make simple and non demanding users happy. While almost all power-user appreciated features have been removed for this concept change.

        >Lordy, let it be. It’s okay. And please, for the sake of peace, don’t add your political diatribe again. Thank you.

        The problem is you show that is necessary to compare between left and conservative attitude. And why? The so-called political left based users – to which you clearly belong – are being rude, showing no respect for other opinions and features which are empowering instead of restricting – Compared to you “progressives” – people with conservative opinion act in a way more civilized AND reasonable way. This is a fact. And you clearly deliver constantly the evidence that it is 100% true. It is about attitude.

    2. Anonymous said on May 30, 2019 at 3:39 am
      Reply

      Are you living in your own world? Are you even reading the article? It’s been proved many times that WebExtension does not provide any security.

      1. John Fenderson said on May 31, 2019 at 5:36 pm
        Reply

        @Anonymous: “It’s been proved many times that WebExtension does not provide any security.”

        Nonsense. Iron Heart is correct about this. WebExtensions are inherently more secure than the old extensions because they present a smaller attack surface. This is simply objective fact. “More secure” does not mean or imply “completely secure” (particularly since there’s no such thing as “completely secure”.)

        The question is, is the increased security that results from a seriously restricted extension system worth what was lost? That’s an entirely subjective call. For me, it was absolutely not.

      2. Klaas Vaak said on June 4, 2019 at 5:09 pm
        Reply

        @Anonymous: if it has been proved, please provide some concrete evidence, such as links to web sites, blogs, etc. that know what they are talking about. Your statement like that is just that: a statement. Someone else could state the contrary. John Fenderson did, but he explains why.

  8. Allen said on May 29, 2019 at 12:07 pm
    Reply

    I guess Mozilla discovered they can make just as much money by not caring about users as they did when they cared about users. Mozilla’s current motto: “There’s a sucker born every minute.”

    1. Klaas Vaak said on May 29, 2019 at 12:15 pm
      Reply

      @Allen: I don’t think they ever cared about users. What they cared about is having a product that could clearly and attractively be distinguished from the competition. That business model is being deprecated, or so it seems.

    2. about not caring about users said on May 29, 2019 at 3:17 pm
      Reply

      mozilla-central is a big complex software project. Its size and complexity slows us down, and it’s daunting to think about making it easier to reason about. We’ve often put off making life easy for ourselves because our users come first. We generally prioritize fixing bugs for users over internal work.

      source: Browser Architecture Update

      1. John Fenderson said on May 31, 2019 at 6:50 pm
        Reply

        @about not caring about users:

        I think that what happened is that Mozilla changed which users it cares about with Firefox. It’s aiming at the least common denominator now, in an attempt to maximize market share. It no longer seems to care about its older, established user base (or at least, not about longstanding users like myself).

  9. Kim Cosmos said on May 29, 2019 at 12:10 pm
    Reply

    It did not start in 2017. Before that (and now) extension submission allows a tick box for supported platforms. Most developers tick all. However android has no toolbar buttons so well over half the android extensions have never had any way to be activated. This despite android being the most used web platform in the world. FF has no interest in this however because their developers are not from poor countries. My complaint is not malware, and the android extensions could be checked automatically but are not. It is simple neglectful snobbery, a far cry from their mission. I hoped it would change with quantum but no luck. I would talk to them but every time I “successfully” change my FF password I cannot log in (which also means my synched bookmarks are gone). Poor people can only afford android tablets and phones. Developers find that laughable.

  10. Torin Doyle said on May 29, 2019 at 12:16 pm
    Reply

    I presume these are fine? They both have generic usernames.

    (Firefox user 12917411)
    https://addons.mozilla.org/en-US/firefox/addon/tab-count-icon/

    (Firefox user 13499009)
    https://addons.mozilla.org/en-US/firefox/addon/librejs/

    1. TelV said on May 29, 2019 at 2:56 pm
      Reply

      @Torin Doyle,

      It looks like Mozilla renaming developers who have rewritten their legacy addons as WebEx. Both the devs in your links have been around for at least a year and have previous versions listed.

      Kinda odd though if Moz is indeed taking it upon themselves to rewrite a dev’s name.

      1. Torin Doyle said on May 31, 2019 at 10:38 am
        Reply

        Hi TelV. That’s odd indeed for them to rename devs names.

    2. Hunter said on May 29, 2019 at 5:17 pm
      Reply

      LibreJS is at the very least managed by the Free Software Foundation.

      The other addon does have a link to the source code as well, so I’d assume both are perfectly fine.

      1. Torin Doyle said on May 31, 2019 at 10:39 am
        Reply

        Hi Hunter. Thanks for the advice. 👍

  11. Anonymous said on May 29, 2019 at 12:29 pm
    Reply

    These are obvious scams. They should at least take a look before approving them – no need for full review. And maybe new extensions should not be public before someone approve? (again – no need for full review).

  12. Frank Church said on May 29, 2019 at 1:08 pm
    Reply

    The problem is addon store owners creating a false sense of security to naive users by claiming to do the impossible, ie vet every addon for security issues. Mozilla is not the only one. Apple, Google, Microsoft and damn near every store owner do the same thing.

    Program reputation, developer reputation, usage count, and time of existence are the only ways users can be reasonably confident that extensions they use are safe. Even an established trusted addon can change when it is bought by a company who then change it collect more data and spy on users.

    The proper way to do it is to layout criteria that end users can use to judge whether the addon sthey download are safe or not, ie are of good repute, and develop evolving static analysis processes that can be crowd sourced so third parties evaluations can also count.

    https://old.reddit.com/r/firefox/comments/buahte/a_wave_of_malware_addons_hit_the_mozilla_firefox/epah35w/

  13. Anonymous said on May 29, 2019 at 1:24 pm
    Reply

    Mozilla of old already has such a system in place that should minimize such occurrences but they reneged on that. Mozilla deserves the hate from their user base and the subsequent loss of market share. As a browser developer, it’s quite unbelievable that they wouldn’t see such possibilities from occurring when they gave up on the task of manually checking the submitted add-ons for malware. But as pointed out by other users elsewhere on ghacks, Mozilla is following a different tune now.

  14. Ascrod said on May 29, 2019 at 1:37 pm
    Reply

    “What do you think companies like Google or Mozilla should do?”
    Require a manual review process prior to publication of extensions. Cut some management bonuses and hire a larger review team so that extensions can be processed faster.

  15. ULBoom said on May 29, 2019 at 2:22 pm
    Reply

    Mozilla’s planning a Firefox party to celebrate results of a recent user add on satisfaction survey. The party’s theme is “Yay, Not as Bad as Chrome!”

    What do FF’s automated checks do? At minimum, a description of an add on should be required; many have no description. I’d never install anything with no description or an add on with many five star reviews appearing immediately after submission.

    Why should Mozilla bother when they can outsource review for free to users such as Martin? Lazier is Betterer, Mozilla party scheduled for that, too.

  16. Noitidart said on May 29, 2019 at 2:38 pm
    Reply

    I stopped using extensions in 2017, aside from the ones where I personally know the author.

  17. Tim said on May 29, 2019 at 3:55 pm
    Reply

    Wasn’t the heavy handed policy of requiring every extension to be signed, which also caused every extension to explode (read: spontaneously stop working) for pretty much every single Firefox user in existence a couple weeks ago, supposed to prevent this?

    These closed ecosystems are only as safe as the person vetting them is diligent at doing their job. And practically speaking, when you have one that is a massive success, like Google Play, there’s no way they can screen the behavior of every application. It just requires way too much manpower. So in spite of all the signing and preventing users from “side-loading” content, we still have a system that is still pretty vulnerable to bad actors, only where end users now have less freedom, because of both the signing requirement and because stuff that they depend on can just stop working all of the sudden without any warning.

  18. Šime Vidas said on May 29, 2019 at 4:38 pm
    Reply

    It should be noted that the author switched the search to “Recently updated” (Mozilla should probably remove this option). What matters is that when the user performs a search, the results are sorted by “Relevance,” so these zero-star, zero-users, clearly fake extensions do not show up.

  19. FuMoz said on May 29, 2019 at 5:26 pm
    Reply

    Not checking extensions before allowing in the store is plainly irresponsible and shows the inferior attitude Mozillas behind all their glorious statements about caring for the user.

    Wondering how the responsible wigs @ Moz would feel sitting in a car, going 150 miles/hr and going straight for a concrete wall. No breaking possible, steering disabled. But the car manufacturer ensures them everyting will be fixed after they hit the wall. Very appeasing, right ?

    At this time I am honestly confused what car to drive. What choice do we have ? Don’t these cars all corrupt our privacy and/or are unsafe for many reasons ? Isn’t there at least one developer out there who tries to be a little decent and willing to listen to the users ?

  20. Steven said on May 29, 2019 at 5:33 pm
    Reply

    Thanks Martin for the warning. I just fixed someone’s computer today & after installing Firefox just installed 3 extension, uBlock Origin, NoScript & a password viewer. All checked & safe.

  21. USAwebuser said on May 29, 2019 at 5:45 pm
    Reply

    I guess extensions are a big target now that plugins are done. I never have used extensions, mainly because its yet another path for malware and its difficult at times if I can trust the extension developer to properly support it. Still don’t understand why these extensions cannot be properly vetted before hitting the store?? Mozilla talks a good talk about caring for its users but they have made some real missteps lately with regards to extensions.

  22. T. Roll said on May 29, 2019 at 6:07 pm
    Reply

    You all complained when Mozilla insisted on reviewing add-ons before publishing and signing all add-ons. Mozilla did that because of all this malware junk. Now that Mozilla is publishing before reviewing asynchronously, you complain about the malware add-ons.

    1. 99 said on May 29, 2019 at 8:48 pm
      Reply

      For the notorious bellyacher, that insist on human reviewing add-ons before publishing, here are 588 add-ons from

      Brand Thunder, LLC

      to review in large gulps without pausing.

      Cheers!

    2. Anonymous said on May 30, 2019 at 3:42 am
      Reply

      Who is this ‘you’? Users never asked for it. Cite for the source?

    3. John Fenderson said on May 31, 2019 at 5:42 pm
      Reply

      @T. Roll: “You all complained when Mozilla insisted on reviewing add-ons before publishing and signing all add-ons.”

      Who is “you all”? I certainly didn’t, and lots of other people didn’t. Could it be that the ones complaining then are a different set of people than the ones complaining now?

  23. Klaas Vaak said on May 29, 2019 at 6:44 pm
    Reply

    @Stan: +1

  24. Anonymous said on May 29, 2019 at 7:04 pm
    Reply

    The new system of webextensions without manual reviews is less secure than the previous system of powerful extensions with manual reviews. We lost both security and control. If they lack resources for manual reviews, why not stop working on unwanted bloat to do that instead ? And cut the salary of the managers who make that sort of choices, they’re not worth it.

  25. Anonymous said on May 30, 2019 at 2:04 am
    Reply

    I suspect I am OK at selecting extensions. However, computer security is not something that is solved by a single thing. Goodbye Firefox.

  26. unyk said on May 30, 2019 at 4:16 am
    Reply

    Great. I just switched back to Firefox after 10 years & this is the news I’m welcomed with.

  27. 8Geee said on May 30, 2019 at 4:49 am
    Reply

    Perhaps end-users that code in C or C+, a few of you could help with NetSurf…
    Basically, it needs to remove the SSL3, TLS1.0, and TLS1.1 certs, and add TLS1.3.

    HTML5 is also needed, but without the js or canvas.

    Just a thought.

    BTW that ionMonkey and SKIA in FF is total crapware. More drugs that need a fix. LOL

    8Geee

  28. Klaas Vaak said on May 30, 2019 at 6:19 am
    Reply

    Another consideration that poses a threat to Firefox: there is now a NoScript version Chrome, previously the sole domain of Firefox.
    https://www.dedoimedo.com/computers/google-chrome-noscript.html

  29. AnorKnee Merce said on May 30, 2019 at 5:37 pm
    Reply

    Maybe, Mozilla should outsource Firefox extension vetting to the China government who presently vets every app in local Android App Store and local iOS App Store before publication = no malware but got communist censorship.*joking*

    1. Stan said on May 31, 2019 at 2:44 am
      Reply

      Nice one! :)

  30. AnorKnee Merce said on May 30, 2019 at 6:13 pm
    Reply

    Can Mozilla auto-scan Firefox extensions for malware before allowing them to be auto-published.?

    Shouldn’t Firefox auto-scan an extension for malware before allowing the user to install it.?

  31. Gullible user said on May 30, 2019 at 10:15 pm
    Reply

    EPIC, as M0z|lla sold us that the new, better , improved web-extensions will be so much better for security of all of us customers.

  32. Jozsef said on May 31, 2019 at 9:28 am
    Reply

    At the very least Mozilla could just tell us which extensions have been checked for security and then we could ignore the others unless the author is known to us and we trust them. Google is probably beyond hope.

  33. fuzzi said on June 3, 2019 at 5:20 pm
    Reply

    Honestly, I don’t install new addons that often but I am very happy for honest developers to be able to publish fixes and features fast. You can see the other side of the medal with opera addons. They are manually reviewed and therefore always out of date. It takes months.

    But Mozilla really needs a badge for “This addon was manually reviewed in version x.x.x”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!