Firefox addon asks for permission to access data for all websites. Is it possible for this addon to steal my gmail password?
During install, a Firefox addon asks for these permissions;
- Access your data for all websites
- Access browser tabs...
If I grant these permissions, could the author of this add-on access my email account data, emails and passwords while it's open on a Firefox tab?
Moambuepyre
Ñemoĩporã poravopyre
mcflay said
Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister saidIs it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.ii) But from the official page here I read:
The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.iii) Then jscher2000 said
To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.
Hi Marco, do you see how those are all consistent?
- Extensions cannot directly access information saved in Firefox's password manager.
- Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?
If Firefox's password manager puts the data into the page, yes.
Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?
Yes.
Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?
Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.
Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?
Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.
Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?
Since we are on the topic of extensions:
(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.
Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.
Emoñe’ẽ ko mbohavái ejeregua reheve 👍 2Opaite Mbohovái (12)
FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.
WestEnd said
FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.
Thanks for your reply but that does not answer my question. I already know FF has nothing to do with what addons do. FF just gives permissions or not, according to user decision.
Contacting the creator is not a solution. I think no sane user would trust what authors say about what their addons do on their system. That's why those permissions exist. You limit their access because you don't trust them.
Those permissions are generic and what they grant for any addon is predefined. Actually my question was a very simple one and it's a yes/no question. In case I grant those permissions I mentioned in my original post, is it possible for any addon to steal my gmail password or not?
Moambuepyre
Is it possible for this addon to steal my gmail password?
No, those permissions don't allow for Login data to be accessed.
the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.
That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."
Thanks for the correction, cfcentaurea. If that information on Mozilla web site is true, then any addon from a malicious developer with the 'Access your data for all websites' permission can grab your gmail account.
I wonder if `the-edmeister` can provide a link of proof for the info he provided in his post; "No, those permissions don't allow for Login data to be accessed."
Moambuepyre
cfcentaurea said
the-edmeister saidIs it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."
To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.
I've found this page explaining the risks of addons. https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension
Moambuepyre
Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.
ii) But from the official page here I read:
The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.
iii) Then jscher2000 said
To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?
Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?
Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?
Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?
Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?
Many thanks
Marco
Ñemoĩporã poravopyre
mcflay said
Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister saidIs it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.ii) But from the official page here I read:
The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.iii) Then jscher2000 said
To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.
Hi Marco, do you see how those are all consistent?
- Extensions cannot directly access information saved in Firefox's password manager.
- Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?
If Firefox's password manager puts the data into the page, yes.
Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?
Yes.
Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?
Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.
Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?
Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.
Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?
Since we are on the topic of extensions:
(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.
Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.
Hi jscher2000, thanks for your very complete answer. Last question:
jscher2000 said
There is a huge risk if the author/publisher of the extension is not trustworthy
...(see "Suggested extensions" section on addons.mozilla.org) ?Those are selected by a human and were considered safe at the time of selection.
so how a FF user could check if an extension has been controlled by a human?
mcflay said
so how a FF user could check if an extension has been controlled by a human?
If an extension is not on the recommended list, you cannot be sure that a human has reviewed it.
When I upload a new version of an extension, it is checked by software. A person may look at it in the next 24-72 hours, but I don't think they look at everything, they have a method of screening for the ones that most deserve review. In the past, they didn't check some updates that behaved badly, so the system is not perfect and they are trying to improve it.
So summarizing: - it is better to use the minimum number of extensions - it is better if the extensions are present in the recommended list - for financial tasks it is better to use a different FF profile without extensions or without extensions that require the "Access your data for all websites" permission
Thanks