Hello, while looking for a suitable add-on for my need, I saw that the permissions of an add-on can be very impactful (access to all emails basically).
So I was wondering how secure the add-ons are.
I was then looking up if all Thunderbird add-ons are open source but didn’t find an answer.
What I noticed was that some add-ons seem to have a link to their source code while others do not (and sharing not much else).
In the add-on I was interested (Simple Template) I saw no reference to its source code.
So I was wondering if I must carefully select open source add-ons or if they all are open source.
If there are closed-source add-ons, how are they validated towards security?
Addons are 3rd party programs made by “random” people all over the world.
Some are open source, some not, some are made by hobby programmers, some by companies, some by malicious actors, some are OK and later sold to malicious actors.
In general, it’s best to assume the worst , especially if you can’t tell if the addon author is a known and credible entity.
Note that even a “link to github” doesn’t mean anything - there is no “proof” the addon submitted to the store is actually built from the source code. A single extra line of code (very long one) can be added to the addon during the build process.
Sadly, Thunderbird doesn’t have the Recommended badges for addons like Firefox, which guarantees the addon and all its updates are always manually reviewed.
Well, there are automated checks that “verifies” that the addon looks good.
But there are also ways to hide the real behavior.
Users can also report suspicious addons, but Mozilla addons team is small and can check only a portion of these reports.
In any case, this is something that all 3rd party software stores are facing, and there are no easy solutions.
Check for example this article about Chrome extensions store :
Regarding verifying the extension yourself - you could do that for smaller addons, there is this web-tool build by Mozilla engineer that allows you inspect code of any addon in any store:
But to be 100% safe, you would still have to disable updates.
Luckily, Thunderbird is not often targeted by malicious actors because it’s harder to monetize victims.
This is a very important subject and responsibility certainly in today movement with AI integrated in many softwares while testing code made by it became very important and a security level with high priority.
Our advice for end users is to check addons’ permissions before installing, otherwise @juraj.masiar gave a detailed answer above.
, especially if you can’t tell if the addon author is a known and credible entity.