This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox addon asks for permission to access data for all websites. Is it possible for this addon to steal my gmail password?

  • 12 replies
  • 2 have this problem
  • 186 views
  • Last reply by mcflay

more options

During install, a Firefox addon asks for these permissions;

  • Access your data for all websites
  • Access browser tabs...

If I grant these permissions, could the author of this add-on access my email account data, emails and passwords while it's open on a Firefox tab?

During install, a Firefox addon asks for these permissions; * Access your data for all websites * Access browser tabs... If I grant these permissions, could the author of this add-on access my email account data, emails and passwords while it's open on a Firefox tab?

Modified by noisywan

Chosen solution

mcflay said

Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.

iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

Hi Marco, do you see how those are all consistent?

  • Extensions cannot directly access information saved in Firefox's password manager.
  • Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

If Firefox's password manager puts the data into the page, yes.

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Yes.

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Since we are on the topic of extensions:

(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.

Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.

Read this answer in context 👍 2

All Replies (12)

more options

FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.

more options

WestEnd said

FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.

Thanks for your reply but that does not answer my question. I already know FF has nothing to do with what addons do. FF just gives permissions or not, according to user decision.

Contacting the creator is not a solution. I think no sane user would trust what authors say about what their addons do on their system. That's why those permissions exist. You limit their access because you don't trust them.

Those permissions are generic and what they grant for any addon is predefined. Actually my question was a very simple one and it's a yes/no question. In case I grant those permissions I mentioned in my original post, is it possible for any addon to steal my gmail password or not?

Modified by noisywan

more options

Is it possible for this addon to steal my gmail password?

No, those permissions don't allow for Login data to be accessed.

more options

the-edmeister said

Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."

more options

Thanks for the correction, cfcentaurea. If that information on Mozilla web site is true, then any addon from a malicious developer with the 'Access your data for all websites' permission can grab your gmail account.

I wonder if `the-edmeister` can provide a link of proof for the info he provided in his post; "No, those permissions don't allow for Login data to be accessed."

Modified by noisywan

more options

cfcentaurea said

the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

more options

I've found this page explaining the risks of addons. https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension

Modified by noisywan

more options

Sorry but the explanation is not complete and leaves some doubts.


i) the-edmeister said

Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.


ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.


iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.


Here are the doubts...

Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Many thanks

Marco

more options

Chosen Solution

mcflay said

Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.

iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

Hi Marco, do you see how those are all consistent?

  • Extensions cannot directly access information saved in Firefox's password manager.
  • Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

If Firefox's password manager puts the data into the page, yes.

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Yes.

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Since we are on the topic of extensions:

(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.

Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.

more options

Hi jscher2000, thanks for your very complete answer. Last question:

jscher2000 said

There is a huge risk if the author/publisher of the extension is not trustworthy
...(see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection.

so how a FF user could check if an extension has been controlled by a human?

more options

mcflay said

so how a FF user could check if an extension has been controlled by a human?

If an extension is not on the recommended list, you cannot be sure that a human has reviewed it.

When I upload a new version of an extension, it is checked by software. A person may look at it in the next 24-72 hours, but I don't think they look at everything, they have a method of screening for the ones that most deserve review. In the past, they didn't check some updates that behaved badly, so the system is not perfect and they are trying to improve it.

more options

So summarizing: - it is better to use the minimum number of extensions - it is better if the extensions are present in the recommended list - for financial tasks it is better to use a different FF profile without extensions or without extensions that require the "Access your data for all websites" permission

Thanks