How does one know if an add-on really need all of its permissions, if it's not abusing its permissions, and so on?
Are add-ons' codes reviewed manually by humans or by other methods to see (1) if they really need the permissions they ask for in order to do what they claim to do, and (2) if they are not abusing these permissions even if they actually need them?
For an example of «2», an ad blocker may need the same permissions as a password manager, but how do we, users, know if the ad blocker is not stealing our passwords? This requires code knowledge that we don't have. So is anyone doing this (is anyone preventing this sort of abuse by manually inspecting extensions' codes)? Or are we on our own?
https://addons.mozilla.org/pt-BR/firefox/addon/dont-touch-my-tabs/, https://addons.mozilla.org/pt-BR/firefox/addon/open-in-browser/ and https://addons.mozilla.org/pt-BR/firefox/addon/lastpass-password-manager/ all require access to all data in all websites, for instance.
I know Google does not review Chrome extensions' codes manually, only automatically, but that's one of the main reasons I am using Firefox and asking this question in a Firefox forum, not a Chrome one.
Endret
All Replies (10)
Add-on questions should be posted in the add-ons forum; https://discourse.mozilla-community.org/c/add-ons
FredMcD said
Add-on questions should be posted in the add-ons forum; https://discourse.mozilla-community.org/c/add-ons
The category in which I posted the question is named "Customize controls, options and add-ons". Doesn't it cover add-ons?
BTW, I am asking in a user's perspective. I am a user and I want to know what is Mozilla doing regarding the (supposedly safer WebExtension-based) add-ons which (still) receive/require access to a lot of stuff.
Hi alainsr,
Maybe you'll find these articles interesting :
https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/
and :
https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension
Murphy said
Hi alainsr, Maybe you'll find these articles interesting : https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/ and : https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension
Yeah, I have read them, thanks, and then asked the question above because they don't answer my concern, unfortunately.
Endret
Maybe this article will shed some more light on it :
https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions
alainsr said
Are add-ons' codes reviewed manually by humans or by other methods to see (1) if they really need the permissions they ask for in order to do what they claim to do, and (2) if they are not abusing these permissions even if they actually need them?
Extensions are screened by software before they are posted. They are reviewed by humans at some point after they are posted. I don't know how that is prioritized, but probably the ones that use more dangerous commands are reviewed before others??
For #1, the policy states that only necessary permissions should be requested, but considering all the other things reviewers need to look at, I find it hard to imagine that is given a high priority.
For #2, the review process looks for dangerous or inappropriate code. However, it's not airtight. For example, extensions are allowed to access external pages, and those pages can change after the extension is reviewed. We had an instance of that on the forum recently. This should not have made it through review in my opinion.
For an example of «2», an ad blocker may need the same permissions as a password manager, but how do we, users, know if the ad blocker is not stealing our passwords?
Hmm, how would an extension steal passwords? I guess by logging keystrokes or by reading a filled-in form or by intercepting the submission. That would be bad. I don't know how reviewers are trained to catch that kind of thing. Perhaps that would be a good question for this forum:
I found a guide for reviewers which tells them what to do, so that might be of interest (I haven't set aside time to read it yet): https://wiki.mozilla.org/Add-ons/Reviewers/Guide
Quote: all require access to all data in all websites, for instance.
This permission is required to be able to scan for login forms on web pages. This permission has nothing to do with accessing passwords. The API that adds permission to access passwords isn't available yet, so I assume that last pass implements its own password storage.
jscher2000 said
alainsr saidAre add-ons' codes reviewed manually by humans or by other methods to see (1) if they really need the permissions they ask for in order to do what they claim to do, and (2) if they are not abusing these permissions even if they actually need them?Extensions are screened by software before they are posted. They are reviewed by humans at some point after they are posted. I don't know how that is prioritized, but probably the ones that use more dangerous commands are reviewed before others??
For #1, the policy states that only necessary permissions should be requested, but considering all the other things reviewers need to look at, I find it hard to imagine that is given a high priority.
For #2, the review process looks for dangerous or inappropriate code. However, it's not airtight. For example, extensions are allowed to access external pages, and those pages can change after the extension is reviewed. We had an instance of that on the forum recently. This should not have made it through review in my opinion.
For an example of «2», an ad blocker may need the same permissions as a password manager, but how do we, users, know if the ad blocker is not stealing our passwords?Hmm, how would an extension steal passwords? I guess by logging keystrokes or by reading a filled-in form or by intercepting the submission. That would be bad. I don't know how reviewers are trained to catch that kind of thing. Perhaps that would be a good question for this forum:
It's precisely by reading a filled-in form that they might (hopefully not) do it.
I just saw that an add-on I have already used in the past and thought about reinstalling, Usable Home Button (https://addons.mozilla.org/en-US/firefox/addon/usablehomebutton/), which simply navigates current URL's levels/breadcrumbs (it takes you from https://addons.mozilla.org/en-US/firefox/addon/usablehomebutton/ to https://addons.mozilla.org/en-US/firefox/addon/ or https://addons.mozilla.org/en-US/firefox/ or https://addons.mozilla.org/en-US/ or https://addons.mozilla.org/), requires all these permissions:
- Access your data for all websites
- Read and modify browser settings
- Clear recent browsing history, cookies, and related data
- Input data to the clipboard
- Access browsing history
- Display notifications to you
- Access browser tabs
WTF? Why doesn't it ask for a blood sample already, so that it can know my genes?
jscher2000 said
I found a guide for reviewers which tells them what to do, so that might be of interest (I haven't set aside time to read it yet): https://wiki.mozilla.org/Add-ons/Reviewers/Guide
At https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing (the specific part where the reviewing process is detailed), there are only two occurrences of anything that starts with "permiss...", none of which gets even close to any of what we are discussing here.
If an add-on requires direct access to our DNA, it seems no one is asking oneself why is that specific permission needed. So at the end implementing WebExtensions provided little or no (additional) security at all (compared to legacy extensions), because:
- Users cannot tell what permissions are really needed for add-ons to do what (I am a savvy user and yet I cannot, so I wonder most people I know), so there's no informed decision making at the end of the chain (the users); and
- Permissions required by add-ons seem to be simply free of any control measure by Mozilla, which should be the filter between abusive add-ons (i.e., abusive developers) and users.
If #2 is hard to solve (if not even Mozilla can assess the safety of permissions required by add-ons), then it's obvious that #1 is even harder to solve and is not going away anytime soon, not within a few (human) generations to come.
cor-el said
Quote: all require access to all data in all websites, for instance. This permission is required to be able to scan for login forms on web pages. This permission has nothing to do with accessing passwords. The API that adds permission to access passwords isn't available yet, so I assume that last pass implements its own password storage.
LastPass receives these permissions:
- Access your data for all websites
- Exchange messages with programs other than Firefox
- Display notifications to you
- Read and modify privacy settings
- Access browser tabs
- Access browser activity during navigation
With these permissions, LastPass manages to capture your (filled in) passwords in order to save them and also know when you typed a different password and offers to update the one in its database. I don't see any password-related permission in there, so I conclude that any add-on with the same permissions (or with the one crucial permission in there, which I assume is the first one, but I really don't know) can do the same, without the user ever having a clue.
Everyone states that users should get long, safe, unreused passwords, but there seems to be a (huge) hole that would allow this kind of sensitive information leaking.
I suddenly feel unsafe (using any browser, not only Firefox). LastPass for Chrome, Opera and any other browser works the same. Do these other browsers have a specific permission for accessing typed passwords? I don't remember seeing anything like it.
And even if we don't talk about passwords and a certain permission is really needed by an add-on, how do we know it's not abusing it? Say "Access your data for all websites" is really needed for an add-on to do "X": how can I know it is not using that permission to watch my browsing behavior and share this data with third parties?
This makes me very sad, and it's so serious that users should be burning cars and demanding heads for such a neglected risk, shouldn't we?
Endret
The "Usable Home Button" menu includes features that require looking inside the web page (canonical URL tag, first level heading) and accessing history (delete from history) and site data ("forget about this site") and browser settings (go to your home page). If an extension is limited to ONLY features related to the displayed URL, the extension would only need the "Access browser tabs" permission (this permission allows access to the title, URL, and site icon on tabs, without access to page contents). So the issue here is that the extension has many features you don't care about. Maybe the developer can spin off a simpler extension for you and other users with similar preferences.
More generally, I think it is reasonable and appropriate to be concerned about the safety of browser extensions and other software running on your system. There's no silver bullet for this problem.
In addition to only installing software that meets your risk tolerance and is from developers you feel you can trust, you can surround your system with additional layers of security, such as software/services that prevent access to bad sites, which reduces the risks associated with trojan downloaders and exfiltration of local data.