Demonstrating security of an add-on

As far as I can see as a newcomer to making add-ons they could potentially be a massive security risk. Could an add-on capture user input (for example when they fill up forms) and send it to a 3rd party? If there is any information on how add-ons are prevented from doing this type of thing and other security stuff I would be very grateful to be directed to it.

Yeah, this is one of those things that’s best to not think about :smiley:, like bacteria and viruses around you :slight_smile:.

But seriously now, if the addon asks for access to all pages, it better have the “Recommended” badge (that means that the code is manually checked so it should be safe).
Otherwise you really need to trust the author of the addon. And if the author is unknown / anonymous, then good luck :smiley:.

I did not know about the badges ie. Firefox Add Ons, Recommended Add Ons and the rest but have read about them now (

I am not surprised (evil) hackers are having such a productive time when people can just add an extension to their browser which could deliver their online life to the hacker. Not letting it access all pages seems like very good advice: Thanks!

Normal addon developers are unlikely to turn their work into passwords stealing malware and risk jail time.

The main risk are these f*ckers:

(I’ve received these two today, on average I get one offer day now!)

Especially if you are amateur developer, message like this can sound super promising.
You’ve been poor addon developer for so long and suddenly someone finally recognizes your hard work and want’s to help you!

And BAM! Malware in the next release and all your users are affected!

I think all addon developers should see a huge warning about these practices every time they release a new version.

Very interesting! thanks for sharing that. So even if you trust the developer you have to be aware that the add-on could change hands and then become a security risk. My concern over this sort of thing is one reason I am thinking of making my own add-on (I trust myself!). On the other hand that is a rather limited approach.

I just came across this paper on identifying Add Ons that compromise user’s privacy:

Ex-Ray: Detection of History-Leaking Browser Extensions

1 Like