ALERT !!!!!!!! Firefox needs to be more secure for the add-ons section.

Hi, For the add-ons section, I think all the add-ons should be scanned.

it is not my fault that if I download an add-on, it turns out to be a malicious add-on that executes remote codes.
You are telling me: “This is not monitored for security through Mozilla’s Recommended Extensions program. Make sure you trust it before installing.”
How can I trust it if I don’t know anything about it?? or if it is new?
-Most of people here who are downloading add-ons are normal users like me, not people who understand codes and developing.-
Read reviews?? Do I understand from you that some people have to sacrifice for us so the rest can know if it is bad or good add-on? And by the way Reading reviews is not enough, For example Few months ago I downloaded a VPN similar to another one, lots of reviews say it is good, so I used it for maybe 1 month then I disabled it and stopped using it. Today I look at it in the disabled add-ons list, I find this message: “VPN has been disabled due to security or stability issues.” I read more information about it, it turned out that it was executing remote codes… That means I shouldn’t even trust reviews!!
Nothing happened to my firefox browser, but (it may happen) in the future, because of the already executed remote codes or or maybe those codes stole some information about me,…I don’t know, but it may get worse who knows what those executed codes do…

=============================

Now after I provided my (((important))) suggestion, I need an advice please what should I do now?? Should I now reinstall this browser and clean it and remove all of the history? Or change my passwords in ((every site)) I visited?? or what?
Thank You Very Much.

Hello,

I agree that it would be ideal to review every add-on listed on the official Mozilla website. However, reviewing add-ons requires carefully inspecting their code as well as testing them in the browser. This is very resource-intensive and would be impractical to do for the thousands of add-ons we list. Currently, the only add-ons that are regularly reviewed are the ones that have the Recommended badge. The rest display the warning you quoted. There’s no sure-fire way to figure out if an add-on is completely safe to use, but that’s true of all software. If you’re uneasy about installing an add-on, it’s probably better that you don’t, and maybe ask someone for a second opinion.

It sounds like you installed an extension we blocked for security reasons (VPN). Unfortunately, we can’t tell you exactly what damage (if any) the extension caused in your system. Updating passwords or (even better) getting a password manager is a good idea, though it’s unlikely a malicious extension gained access to them. Reinstalling the browser or clearing your history won’t help in most cases. For more help, please visit our support site.

Yes (VPN), was blocked on 27 April.
I understand you can’t tell me what damage the extension caused in my system.
but can you please tell me what the remote code -that the VPN had-, does with the browser?
Steal infos? Control my browser?..or what?
And is there any way to scan my browser?

The reason remote code is not allowed on extensions is that we can’t really know what it does, and it can change at any time. Also, given the prevalence of this problem and the limited time we have to deal with these issues, it’s not feasible for us to look deeper into it.

Ok. I understand.
And do I also understand that there is no way to scan my browser?
I mean I have an anti virus that scans my system, but I need something that scans my browser too.

Never Mind Sir, I guess my question was dumb, sorry for the annoyance.
and thank you.

Hey I just wanted to chime in and say that I appreciate you sharing your concerns. As a developer, I often am on the other side of the fence thinking “Why does Mozilla have to have a warning message about my addon? People won’t download it if they don’t think it’s safe!” so I appreciate hearing from someone who is not a developer.
But the truth is that security is a hard problem. I’m glad Mozilla hosts my plugin, but for them to fully review in person each of the plugins could easily take as much time as it did for all the developers to make them in the first place! (Although I believe they do have some automated scans that help catch some obvious problems.)

Even as a developer, I have the same types of questions as you do: “How do I trust this plugin?” And in some ways, more knowledge of the system might cause one to worry more rather than worry less - even when there’s nothing to worry about.

For me, I often start by looking at the non-technical aspects: Is there a developer website? Does the developer seem to be legitimate? Do they seem to care about their users?

Anyways, good luck and hope you find many good and safe plugins!

Thank You Very Much. Sir.

I rate my trust in an extension based on how many permissions it is requesting and whether they sound reasonable relative to the description of the extension.

If an extension requests too many permission for what it does, it is automatically a red flag to me. If it is one of those ad blockers then I can accept it asking for lots of permissions. If it is something simple like highlighting certain words then I would only expect 1 or 2 permissions max. If it requests a lot of permissions but also advertises a lot of features, I may be put off and would search for other more basic extensions that don’t try to do so much.

I think Mozilla should focus on leveraging the permissions system more than just saying that all extensions are not vouched. They can incorporate the permissions into the search field. Like how people search for things that are 5 stars or above, users should be able to search for extensions that use 5 permissions or below. Or sort the extensions based on fewest permissions first.

I agree with you.
And thanks for telling us how you can expect if the extension is dangerous or not.

I kind of like the idea of being able to do sorting/filtering on number of permissions. I know it’s not perfect, as others have explained that some of the most common permissions are the most dangerous (e.g. ability to contact external website gives the ability to pass user data to a third party), but seems like it could be handy. Thanks for sharing!