Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox addon asks for permission to access data for all websites. Is it possible for this addon to steal my gmail password?

  • 12 个回答
  • 2 人有此问题
  • 1 次查看
  • 最后回复者为 mcflay

more options

During install, a Firefox addon asks for these permissions;

  • Access your data for all websites
  • Access browser tabs...

If I grant these permissions, could the author of this add-on access my email account data, emails and passwords while it's open on a Firefox tab?

During install, a Firefox addon asks for these permissions; * Access your data for all websites * Access browser tabs... If I grant these permissions, could the author of this add-on access my email account data, emails and passwords while it's open on a Firefox tab?

由noisywan于修改

被采纳的解决方案

mcflay said

Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.

iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

Hi Marco, do you see how those are all consistent?

  • Extensions cannot directly access information saved in Firefox's password manager.
  • Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

If Firefox's password manager puts the data into the page, yes.

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Yes.

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Since we are on the topic of extensions:

(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.

Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.

定位到答案原位置 👍 2

所有回复 (12)

more options

FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.

more options

WestEnd said

FF has nothing to do with what Addons do. For problems with Addons you need to contact the Addon creator about what their addon is doing.

Thanks for your reply but that does not answer my question. I already know FF has nothing to do with what addons do. FF just gives permissions or not, according to user decision.

Contacting the creator is not a solution. I think no sane user would trust what authors say about what their addons do on their system. That's why those permissions exist. You limit their access because you don't trust them.

Those permissions are generic and what they grant for any addon is predefined. Actually my question was a very simple one and it's a yes/no question. In case I grant those permissions I mentioned in my original post, is it possible for any addon to steal my gmail password or not?

由noisywan于修改

more options

Is it possible for this addon to steal my gmail password?

No, those permissions don't allow for Login data to be accessed.

more options

the-edmeister said

Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."

more options

Thanks for the correction, cfcentaurea. If that information on Mozilla web site is true, then any addon from a malicious developer with the 'Access your data for all websites' permission can grab your gmail account.

I wonder if `the-edmeister` can provide a link of proof for the info he provided in his post; "No, those permissions don't allow for Login data to be accessed."

由noisywan于修改

more options

cfcentaurea said

the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

That contradicts what it says here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions : "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords."

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

more options

I've found this page explaining the risks of addons. https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension

由noisywan于修改

more options

Sorry but the explanation is not complete and leaves some doubts.


i) the-edmeister said

Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.


ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.


iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.


Here are the doubts...

Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Many thanks

Marco

more options

选择的解决方案

mcflay said

Sorry but the explanation is not complete and leaves some doubts.
i) the-edmeister said
Is it possible for this addon to steal my gmail password? No, those permissions don't allow for Login data to be accessed.

ii) But from the official page here I read:

The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.

iii) Then jscher2000 said

To clarify: extensions can't reach into Firefox's password manager (saved logins); there's no permission that allows that. However, if an extension has permission to read everything in a page, that can include anything entered into the page.

Hi Marco, do you see how those are all consistent?

  • Extensions cannot directly access information saved in Firefox's password manager.
  • Extensions CAN read the username and password in form fields in a page, if they have permission to that page.
Here are the doubts...
Q1. if I browse on a site where I have a saved login and FF compiles username and password fields, could an addon with the permission "Access your data for all websites" take my data?

If Firefox's password manager puts the data into the page, yes.

Q2. if I browse on a site where I have not a saved login and I compile username and password fields manually, could an addon with the permission "Access your data for all websites" take my data?

Yes.

Q3. whereas 99% of extensions require that permission, the idea of installing an extension becomes a huge risk to your privacy. It's correct?

Extensions require that permission to make changes in the page. Many useful extensions do that. There is a huge risk if the author/publisher of the extension is not trustworthy. Shop carefully.

Q4. faced with all these risks, how is it possible that Firefox (intended as company) advises users to install extensions (see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection. Just having permission doesn't mean it will be abused.

Q5. I want to use FF to access my bank's website (I'm making an example). What advice can you give me to better protect the data that I will have to insert?

Since we are on the topic of extensions:

(1) Only install extensions you can trust. (2) Do not run any unnecessary extensions. (3) If there are extensions you only use occasionally, and they can read the contents of pages, disable them until needed.

Some people go so far as to create a separate Firefox profile for financial tasks, with a more restricted set of add-ons. Running two different Firefox profiles at the same time uses a lot of memory, so that might not be useful if you need to access your bank frequently. If you want to try it, someone could provide more details. Or better yet, start a new question about that since it's beyond the scope of this thread.

more options

Hi jscher2000, thanks for your very complete answer. Last question:

jscher2000 said

There is a huge risk if the author/publisher of the extension is not trustworthy
...(see "Suggested extensions" section on addons.mozilla.org) ?

Those are selected by a human and were considered safe at the time of selection.

so how a FF user could check if an extension has been controlled by a human?

more options

mcflay said

so how a FF user could check if an extension has been controlled by a human?

If an extension is not on the recommended list, you cannot be sure that a human has reviewed it.

When I upload a new version of an extension, it is checked by software. A person may look at it in the next 24-72 hours, but I don't think they look at everything, they have a method of screening for the ones that most deserve review. In the past, they didn't check some updates that behaved badly, so the system is not perfect and they are trying to improve it.

more options

So summarizing: - it is better to use the minimum number of extensions - it is better if the extensions are present in the recommended list - for financial tasks it is better to use a different FF profile without extensions or without extensions that require the "Access your data for all websites" permission

Thanks