“Access your data for all websites” permission extensions can save the data on their server?
An extension that has the “Access your data for all websites” permission, can transmit all the data from all websites visited on my browser to their server so to know what credit card I entered on a website or what type of porn do I watch?
How can I check and be sure that it transfer the data or not?
Wšykne wótegrona (7)
Theoretically, yes. However, most extensions don't do that. They simply need that permission to be able to access certain data.
For example, I made an add-on that blocks websites. I have to include the "Access your data for all websites" permission in my add-on so that I can see what websites the user is loading so that it can be compared to a list of websites that they want to block. Most ad blockers need the same permission for that reason.
That said, sure, there could be some that are transferring data (personal or statistical) to their own servers for their own uses. Detecting that would typically require you to use some kind of network traffic inspection tool like Wireshark to monitor and view what traffic is going over your network.
A far simpler idea would be to avoid extensions that aren't widely trusted and review the privacy policies of add-ons before you install them.
Hi cucurucu, developers who send data out of the browser are supposed to provide a Privacy Policy, which would be linked on the left side of the page on the Add-ons site or in the description. Of course, this assumes the developer is following the rules, so...
Wesley Branton said
Theoretically, yes. However, most extensions don't do that. They simply need that permission to be able to access certain data. For example, I made an add-on that blocks websites. I have to include the "Access your data for all websites" permission in my add-on so that I can see what websites the user is loading so that it can be compared to a list of websites that they want to block. Most ad blockers need the same permission for that reason. That said, sure, there could be some that are transferring data (personal or statistical) to their own servers for their own uses. Detecting that would typically require you to use some kind of network traffic inspection tool like Wireshark to monitor and view what traffic is going over your network. A far simpler idea would be to avoid extensions that aren't widely trusted and review the privacy policies of add-ons before you install them.
It's not possible to implement a system which let the extensions access all the data on websites but to use that data only on the client-side on the local machine, restricting the possibility to send data out on external servers?
Theoretically, you could. You would just need to know where the data is being sent to (via a network monitor) so that you can block it using a firewall or something. However, that could break some add-ons.
cucurucu said
It's not possible to implement a system which let the extensions access all the data on websites but to use that data only on the client-side on the local machine, restricting the possibility to send data out on external servers?
Currently, if an extension has the ability to modify the page, it can inject HTML, CSS, and JavaScript code to do anything the site could do, including images requests, background data communication, and modifying links. I don't know whether there would be a way to restrict what can be done in the page to prevent all scenarios for exfiltration of data.
The Add-ons site uses screening tools that detect certain patterns associated with exfiltrating data, but software is only so smart, so often human review is necessary to catch bad extensions.
My main worry is that the above mentioned private information gathered by these extensions is passed along to any of the big tech companies like Google, Facebook, Twitter or to third parties unknown to me Modzilla. In my opinion the permissions (potentially) totally negate the reasons for me to use Firefox in the first place. This type of data leak emanating from an extension is equivalent to what happened to Facebook data by Cambridge Analytica!!!
You just need to be mindful of the extensions that you are adding to Firefox. Make sure that they are trustworthy and that you read the privacy policy for them (if any). Many developers are open about why they need certain permissions. Certain extensions just can't function without that permission.