A wave of malware add-ons hit the Mozilla Firefox Extensions Store

Firefox users beware… Although these ones are somewhat easy to spot as suspect.


Interesting. Thanks.

I try to keep to a very small set of extensions, so I’m not too likely to load a bad one.

Isn’t the extension signing supposed to prevent this? Or is this a reaction to the extension bug, which caused people to turn off verification?

Mozilla switched from a “review first, publish second” to a “publish first, review second” model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program.

I don’t know what the Firefox Store Developer requirements are, the likely problem for Firefox more than Google and other browser “stores” is that as a largely community project, it may not have the resources to at least do a superficial code-check when Extensions are uploaded to the store and maybe Developer verification may be practically non-existent as well (assuming that code signing is enforced, then the Developer’s identity should be easily revealed). I don’t advocate proper identification for most things on the Internet, but there really isn’t any way to get around its necessity when it comes to writing Code others will use.


Basically anyone is able to create, sign and upload an extension…

You agree to abide by the rules: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Agreement

Create your extension…

Go through the signing and submission process: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Distribution https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Distribution/Submitting_an_add-on

… and that’s it, all done and dusted.

Previously all add-ons were reviewed before they were published, however owing mainly to limited reviewer resources large delays often occurred, much to the wrath of the authors awaiting publication…