Ad-ons Permission - Access your data for all websites - Concerns, elaboration required
Please pardon my ignorance regarding this topic, but I cannot help having several questions after having read Firefox "Permission request messages for Firefox extensions" (https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions#w_access-your-data-for-all-websites), particularly "Access your data for all websites" Permission:
"The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords." -Scary!
Note: These questions are not related to a particular extension and/or developer, these are merely questions regarding all extensions requiring "Access your data for all websites" Permission. Any and all references made to any particular extension in this thread are for the sole purposes to facilitate discussion and/or visualization, and Not to be construed in any negative manner on my part. I am merely seeking clarification regarding security concerns I and/or others may have in the future and perhaps aid browser development team, the community and extension developers to improve its security documentation and/or functions.
Questions:
1. Does that mean said extensions can read the content of any and "ALL" web page you visit as well as data you enter into those web pages, such as usernames and passwords "EVER" visited in the past and in the future?
2. Regardless whether or not such extensions disabled?
3. Regardless whether or not web page is open and/or sign-in?
4. Regardless if a Firefox Login "Master Password" is being used?
5. Other than not using such extensions, what precautions users can take to minimize/eliminate such security breaches?
6. How can such extensions have a Firefox "Recommended" designation?
7. Why "some" such extensions opt to collect contributions "outside" Mozilla's Add-ons extension's landing page? Could that be used to raise a suspicious concerns?
8. Can extensions change their current permissions to a higher level from their initial installation via an user requested update performed from within Firefox's Extensions utility without the users knowledge?
9. How can users discern when extensions has a legitimate need for "Access your data for all websites" permission?
10. Do download extensions (and others) need "Access your data for all websites" permission along, and if so why (...is it due to browser technical limitation)?
11. Would it be possible for Mozilla's Add-ons extension's landing page to display whether or not "Access your data for all websites" is necessary and why?
These concerns came up when searching for a YouTube download extension.
Example: "Easy Youtube Video Downloader Express" by Dishita (https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-video-download/?src=search)
Apologies for lengthy questions. Thank you!
PS: Quick response would be appreciated.
All Replies (9)
I myself am an add-on developer, so I'll try to answer all of your questions above to the best of my ability for you. This permission is certainly something that other people have been concerned/confused about before.
- Theoretically, yes. While the extension won't have access to the past data that you've entered, it can see anything that loads on the page or is entered on the page while it's installed. There are some exceptions, like internal Firefox pages or Mozilla-owned pages, where extensions are not allowed to view the page.
- No, when an extension is disabled, it's not running. Therefore, it can't see any websites.
- Aside from the exceptions I mentioned in my answer to your first question, theoretically, yes.
- Extensions don't have direct access to the passwords saved on Firefox, until they are entered into the website. So, if an extension is tracking a password text input box, then it could (theoretically) see the data that's entered.
- Like you said, users should make sure to use add-ons they can trust. The majority of add-ons are not using this permission in a malicious way.
- The add-ons in the Recommended Extensions program are safe and trusted add-ons. They are ones that are not abusing the add-on permissions.
- I'm not entirely sure about what you mean by "contributions". My assumption is that you are talking about donations. Many add-ons do collect donations to fund their efforts. Add-ons are designed and released for free to Firefox. Many developers also have websites that they run, where they may offer a download link to the add-on and have their own donation platform.
- If an update for any add-on is released and it requires new permissions, you will be asked to approve the new permissions before the extension gets updated. If you don't approve the new permissions, the extension will stay at the last version.
- Unfortunately, that falls on the user. You need to do research about the extension that you want to install. The Firefox add-ons platform does a pretty good job of filtering out and reviewing extensions, but ultimate responsibility falls on the user.
- You'd be surprised how often an add-on requires that permission. Basically, the permission is required in order for the extension to see any of the websites that you visit. For example, I have a website blocking extension that I developed. It requires the permission so that it can view the link that's being loaded and compare it to a list of websites that the user has decided to block. Ad blockers and other content blockers work the same way. Another example would be a temperature conversion extension that I also developed. When you highlight a temperature, the extension converts it to a different unit. It needs the permission so that it can insert the required selection code into every website when it loads and so that it can view the highlighted content.
- Generally, if it's listed as a permission, it's something that the developer added because they needed it. It's not very common for developers to add unnecessary permissions to their add-ons. I may be wrong about this, but I think the submission platform even warns the developer about unneeded permissions when they submitting a new version.
Hopefully I've answered all of your questions for you. If you need anything explained further or had additional questions, I'd be glad to help.
Thank you Wesley for your quick and detailed response, very insightful, yet alarmingly disappointing how these extension permissions work.
Based on the facts you have stated, why would anyone bother to use such extensions when they bank or shop online, or am i missing something here?
From what I am just beginning to understand, such extensions can potentially capture "visible" and/or "keyed-in" login and password information when they are enabled, regardless which browser window and/or tab, past, present and/or future (most Alarming).
Unless the Firefox login and password auto complete does it for you? What about other password managers cut-and-paste, can such extensions capture that data too?
Example: Visited banking institution less than 30 days ago, installed such extension today, they can potentially learn, previously visited or future sites, search terms, capture data keyed-in, date and time, log-in info, even if the if not signed-in, or site is not open on any browser window/tabs?
As to installing trusted extension developers, in an era where Facebook, Google and Amazon to mention just a few cant be trusted with out data, how can users trust such unknown extension developers? There is no way of knowing what they do with the data and/or how is it being handled from one point to another. There is no regulatory compliance requirements such PCI DSS for merchants that capture credit card payment information, you would not belive the hoops we online merchants are required to jump through each quarter. What if honest extension developer data somehow is broken into, stolen, etc.?
As to contributions, I noticed some extension developers opt to collect contributions (donations) "outside" Mozilla's Add-ons "store" extension's landing page, versus "inside", why? Could that be used to raise a suspicious concerns?
Thank you.
Wesley Branton said
I myself am an add-on developer, so I'll try to answer all of your questions above to the best of my ability for you. This permission is certainly something that other people have been concerned/confused about before.Hopefully I've answered all of your questions for you. If you need anything explained further or had additional questions, I'd be glad to help.
- Theoretically, yes. While the extension won't have access to the past data that you've entered, it can see anything that loads on the page or is entered on the page while it's installed. There are some exceptions, like internal Firefox pages or Mozilla-owned pages, where extensions are not allowed to view the page.
- No, when an extension is disabled, it's not running. Therefore, it can't see any websites.
- Aside from the exceptions I mentioned in my answer to your first question, theoretically, yes.
- Extensions don't have direct access to the passwords saved on Firefox, until they are entered into the website. So, if an extension is tracking a password text input box, then it could (theoretically) see the data that's entered.
- Like you said, users should make sure to use add-ons they can trust. The majority of add-ons are not using this permission in a malicious way.
- The add-ons in the Recommended Extensions program are safe and trusted add-ons. They are ones that are not abusing the add-on permissions.
- I'm not entirely sure about what you mean by "contributions". My assumption is that you are talking about donations. Many add-ons do collect donations to fund their efforts. Add-ons are designed and released for free to Firefox. Many developers also have websites that they run, where they may offer a download link to the add-on and have their own donation platform.
- If an update for any add-on is released and it requires new permissions, you will be asked to approve the new permissions before the extension gets updated. If you don't approve the new permissions, the extension will stay at the last version.
- Unfortunately, that falls on the user. You need to do research about the extension that you want to install. The Firefox add-ons platform does a pretty good job of filtering out and reviewing extensions, but ultimate responsibility falls on the user.
- You'd be surprised how often an add-on requires that permission. Basically, the permission is required in order for the extension to see any of the websites that you visit. For example, I have a website blocking extension that I developed. It requires the permission so that it can view the link that's being loaded and compare it to a list of websites that the user has decided to block. Ad blockers and other content blockers work the same way. Another example would be a temperature conversion extension that I also developed. When you highlight a temperature, the extension converts it to a different unit. It needs the permission so that it can insert the required selection code into every website when it loads and so that it can view the highlighted content.
- Generally, if it's listed as a permission, it's something that the developer added because they needed it. It's not very common for developers to add unnecessary permissions to their add-ons. I may be wrong about this, but I think the submission platform even warns the developer about unneeded permissions when they submitting a new version.
Thank you Wesley for your quick and detailed response, very insightful, yet alarmingly disappointing how these extension permissions work.
Based on the facts you have stated, why would anyone bother to use such extensions when they bank or shop online, or am i missing something here?
From what I am just beginning to understand, such extensions can potentially capture "visible" and/or "keyed-in" login and password information when they are enabled, regardless which browser window and/or tab, past, present and/or future (most Alarming).
Unless the Firefox login and password auto complete does it for you? What about other password managers cut-and-paste, can such extensions capture that data too?
Example: Visited banking institution less than 30 days ago, installed such extension today, they can potentially learn, previously visited or future sites, search terms, capture data keyed-in, date and time, log-in info, even if the if not signed-in, or site is not open on any browser window/tabs?
As to installing trusted extension developers, in an era where Facebook, Google and Amazon to mention just a few cant be trusted with out data, how can users trust such unknown extension developers? There is no way of knowing what they do with the data and/or how is it being handled from one point to another. There is no regulatory compliance requirements such PCI DSS for merchants that capture credit card payment information, you would not belive the hoops we online merchants are required to jump through each quarter. What if honest extension developer data somehow is broken into, stolen, etc.?
As to contributions, I noticed some extension developers opt to collect contributions (donations) "outside" Mozilla's Add-ons "store" extension's landing page, versus "inside", why? Could that be used to raise a suspicious concerns?
Thank you.
Add-ons are just like any other piece of software. A regular program that you install on your computer could also access Firefox data, so you just need to be responsible when adding things to your computer.
An example that I like to sometimes show people is how easy it could be to get the password from the Facebook login page. If you go to the Facebook website (assuming you aren't logged in), you will get the login screen at the top. If you press Ctrl + Shift + K on your keyboard, you will open the Web Console, which will allow you to run code (similar to what an extension can do). If you fill in some fake login information (but don't click login) and type document.getElementById('pass').value;
into the >>
part of the Web Console and press enter it should show you what you have typed into the password field.
So, in theory, an extension could include the same code and run it on the Facebook page when you open it. Then, it could send that to the extension developer. Actually, that's basically how the builtin Firefox password manager and other password managers can collect this data to save for you (although, obviously they aren't sending the data to themselves).
I should also point out that just because a developer has added that permission to their add-on doesn't necessarily mean they are collecting anything. As a matter of fact, there are tons that don't send any data anywhere. The permission just allows the add-on to access the website content and information so that it can function properly.
While capturing passwords and other data could be a possibility, there are more legitimate developers than bad ones.
As for donations, many developers do use the donation button on their add-on listing page. The issue is that the add-ons page only supports a limited number of payment processors (buymeacoffee.com, donate.mozilla.org, flattr.com, liberapay.com, micropayment.de, opencollective.com, patreon.com, paypal.com and paypal.me at the moment). So, if the developer wants to use a different payment processor (perhaps one that offers lower fees), they need to have a donation page outside of Mozilla.
It's not necessarily bad. Usually they will use an assortment of processors, since the people donating to them may also have ones that they prefer over others. Provided the developer is using a trusted and safe platform, there's not really much need for concern.
I also believe that perhaps the Tips for assessing the safety of an extension page may provide some other useful information to you.
Wesley Branton said
I also believe that perhaps the Tips for assessing the safety of an extension page may provide some other useful information to you.
Thank you Wesley, I am most appreciative for your information and efforts in enlightening, regardless how disappointing I find the whole browser Add-ons Extensions security/privacy issue.
Just to add another voice - the security implications of browser add-ons are not different than the security implications of the web browser, any other software application, the operating system you use, or being connected to a network at all. If you want thing made of code X to act on some other data or code , it has to access it. The actual use of such permissions is usually for more limited and granular. (Honestly, your average app for a mobile device is much scarier.)
Generally you can get a good idea on whether any developer or vendor is trustworthy (or more easily - if they are untrustworthy, as that news is louder) is to do a search and see what different sources say about the thing in question.
I had the exact same question as the OP, about the exact same add-ons (video download add-ons), so I won't create a new thread.
But I'd like to get more specific Wesley. Can you think of any reason why a video download add-on would require a "access your data for all websites" permission?
Almost ALL the top video download add-ons require this permission, including: https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/ https://addons.mozilla.org/en-US/firefox/addon/download-video-and-flash/ https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-video-download/
According to Mozilla, these are some possible reasons, but a video download extension doesn't need that information: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions#w_access-your-data-for-all-websites
And a second question: can the add-on read the data on web pages where it is not enabled? I'm asking because this particular add-on is enabled only on Youtube: https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-video-download/
Thank you for any additional information. I think this thread should be an eye-opener for many (i.e. check the number of users for each of these add-ons).
Wesley Branton said
I myself am an add-on developer, so I'll try to answer all of your questions above to the best of my ability for you. This permission is certainly something that other people have been concerned/confused about before.Hopefully I've answered all of your questions for you. If you need anything explained further or had additional questions, I'd be glad to help.
- Theoretically, yes. While the extension won't have access to the past data that you've entered, it can see anything that loads on the page or is entered on the page while it's installed. There are some exceptions, like internal Firefox pages or Mozilla-owned pages, where extensions are not allowed to view the page.
- No, when an extension is disabled, it's not running. Therefore, it can't see any websites.
- Aside from the exceptions I mentioned in my answer to your first question, theoretically, yes.
- Extensions don't have direct access to the passwords saved on Firefox, until they are entered into the website. So, if an extension is tracking a password text input box, then it could (theoretically) see the data that's entered.
- Like you said, users should make sure to use add-ons they can trust. The majority of add-ons are not using this permission in a malicious way.
- The add-ons in the Recommended Extensions program are safe and trusted add-ons. They are ones that are not abusing the add-on permissions.
- I'm not entirely sure about what you mean by "contributions". My assumption is that you are talking about donations. Many add-ons do collect donations to fund their efforts. Add-ons are designed and released for free to Firefox. Many developers also have websites that they run, where they may offer a download link to the add-on and have their own donation platform.
- If an update for any add-on is released and it requires new permissions, you will be asked to approve the new permissions before the extension gets updated. If you don't approve the new permissions, the extension will stay at the last version.
- Unfortunately, that falls on the user. You need to do research about the extension that you want to install. The Firefox add-ons platform does a pretty good job of filtering out and reviewing extensions, but ultimate responsibility falls on the user.
- You'd be surprised how often an add-on requires that permission. Basically, the permission is required in order for the extension to see any of the websites that you visit. For example, I have a website blocking extension that I developed. It requires the permission so that it can view the link that's being loaded and compare it to a list of websites that the user has decided to block. Ad blockers and other content blockers work the same way. Another example would be a temperature conversion extension that I also developed. When you highlight a temperature, the extension converts it to a different unit. It needs the permission so that it can insert the required selection code into every website when it loads and so that it can view the highlighted content.
- Generally, if it's listed as a permission, it's something that the developer added because they needed it. It's not very common for developers to add unnecessary permissions to their add-ons. I may be wrong about this, but I think the submission platform even warns the developer about unneeded permissions when they submitting a new version.
Can you think of any reason why a video download add-on would require a "access your data for all websites" permission?
Sure. Some of the examples that you provided allow you to download videos from a variety of websites. They may use the permission to be able to scan a website for a downloadable video and then provide the download button for that.
can the add-on read the data on web pages where it is not enabled? I'm asking because this particular add-on is enabled only on Youtube: https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-video-download/
If the add-on only has permission to access YouTube.com, then no, it couldn't read data on other websites. However, since the example that you included doesn't just have permission for YouTube.com, it could still run on other pages.
Add-ons with the access your data for all websites' permission can access data on every website, whether or not it makes any visible alterations to the website.
An gyara