Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Do Firefox add-ons have full access to passwords etc?

  • 6 ŋuɖoɖowo
  • 3 masɔmasɔ sia le wosi
  • 85 views
  • Nuɖoɖo mlɔetɔ cor-el

more options

I use a master password in Firefox password manager to protect log-in details. Yet I have heard that add-ons have full access to passwords and other data. Is that true?

I use Linux Lite, Ubuntu-based (a very nice OS, by the way).

I use a master password in Firefox password manager to protect log-in details. Yet I have heard that add-ons have full access to passwords and other data. Is that true? I use Linux Lite, Ubuntu-based (a very nice OS, by the way).

Ŋuɖoɖo si wotia

Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.

Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.

Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.

Xle ŋuɖoɖo sia le goya me 👍 3

All Replies (6)

more options

Ɖɔɖɔɖo si wotia

Over the years, Firefox has supported several different technologies for Add-ons to interact with Firefox data.

Traditionally, in what are now called Legacy extensions, yes, extensions could access passwords. (E.g., Password Manager access, Using Password Manager considered a best practice) Human reviewers at the Add-ons site checked extensions to see whether they did anything suspicious, so in most cases, there would have been a good reason for such access, such as connecting to FTP sites (FireFTP) or monitoring your webmail inbox for new messages.

Newer extensions written using the WebExtensions API (indicated on the Add-ons site with a badge that they work in Firefox 57+) have to show a bunch of permissions when you install them. I don't know if there's a permission for this any more or whether it's blocked. Maybe someone else can figure that out.

more options

Once you enter the master password then you login to the software security device and the passwords are unlocked.

You can log out by clicking Cancel when you get a MP dialog (Show Passwords) or use the Log Out button in the device manager (Options/Preferences -> Advanced -> Security Devices).

more options

jscher, thanks, your reply sent me to the FF add-ons store where I looked up one of the add-ons which I already have installed. There was an orange triangle ! which opens a small window with the following:

"Permissions [Warning]

Some add-ons ask for permission to perform certain functions. Since you’re in control of your Firefox, the choice to grant or deny these requests is yours.

Please note this add-on uses legacy technology, which gives it access to all browser functions and data without requesting your permission."

Which confirms this add-on can access my data. As you say, maybe this will not be the case with newer add-ons. I may not stay around FF long enough to find out!

While I like FF I have to say its lack of up-front communication of such glaring vulnerabilities is a disgrace. At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set. That is not necessarily obvious to a new user, even intelligent ones, and we shouldn't have to stumble upon such vital information as we go along!

Meantime, I will search for a secure browser.

linuxuser23 trɔe

more options

linuxuser23 said

Meantime, I will search for a secure browser.

How is this a problem with your browser? If you do not want add-ons to access your data, either do not install add-ons or do not save sensitive data in your browser.

Or rely on a trusted intermediary to check them. As I mentioned, the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system. If you do not trust them to do that well, see the previous paragraph.

At the very least a pop-up warning / or opt-in dialogue should be incorporated during installation and at other suitable times - especially warning users of the easy access to passwords where a master password has not been set.

Without a master password, your login data can be extracted by any person or program with access to your system. See: Use a Primary Password to protect stored logins and passwords. How would you recommend getting that information to users?

more options

To jscher,

your reply comes across as quite arrogant and dismissive, and I am not impressed.

You say " the human staff of the Add-ons site do check whether extensions make inappropriate access to sensitive data or inappropriately exfiltrate it out of your system", but I can only assume they do this at the time the add-on is accepted for listing, but not on a continual 24/7 basis. Therefore my point was reasonable and logical.

As regards how Firefox might get master password information to users I have already offered suggestions in my earlier post, which you have quoted.

Meantime, I have found a solution.

Please refrain from responding if you cannot do so in a respectful manner.

more options

All you need to access the passwords is some simple code in the Browser Console (you may be prompted for the MP if you haven't entered it yet):

var pwdmanager = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
signons = pwdmanager.getAllLogins({});
console.log(JSON.stringify(signons));