Firefox extension permissions are scary

Discussion in 'privacy general' started by Holysmoke, Aug 22, 2019.

  1. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    139
    I just figured this out and am embarrassed I did not know this sooner.

    I have lots of privacy extensions like privacy badger, ublock origin, canvasblocker, cookie autodelete, decentraleyes, https everywhere and more.

    All of these have the permission:

    Access your data for all websites

    The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.

    These authors cannot be trusted with this data especially our usernames and passwords.
     
  2. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,264
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,902
    Location:
    The Netherlands
    Wait a minute, can they even grab your username and passwords? I didn't really know about this, and yes, it's crazy if true. Why didn't browser developers already solved this problem? I do know that SpyShelter was capable of blocking extension based keyloggers on Firefox.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,911
    Location:
    Outer space
    First Firefox wants to reduce extension rights(with the new extension model) and people complain that extensions become to limited, and now they want even less rights for extensions. You can't have both.
    Bottom line, don't run stuff you don't trust.
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,146
    Location:
    Member state of European Union
    So don't use these extensions if you don't trust them.
     
  6. seti

    seti Registered Member

    Joined:
    Oct 10, 2016
    Posts:
    10
    Location:
    california
    I feel the same way. I used all the above extensions including noscript as you mentioned running on linux and recently my debit card got hacked online and several hundred dollars were stolen, but I got my money back from my bank since it was an obvious fraud case and I didn't know or have any relations with the persons involved. Ever since that happened I removed all of my extensions. If they wanted to get you they'll get you and it doesn't matter what you have.
     
  7. kls490

    kls490 Registered Member

    Joined:
    Aug 15, 2015
    Posts:
    60
    Location:
    Mid Atlantic Region (USA)
    A disturbing incident, seti. Were you, by any chance, able to connect the fraud to having used one or more of the extensions you and others mentioned?
     
    Last edited: Nov 15, 2020
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,146
    Location:
    Member state of European Union
    This thread is ridiculous. Extensions need permissions/privileges to do their job. It's like complaining that antivirus installation needs to be done on Administrator account or other belonging to Administrators group and you need to accept that UAC prompt.
    uBlock Origin needs to read and modify webpage for filtering according to blocklists and block access to some url in order to remove ads, tracking scripts and sometimes even malicious scripts.
    Don't install random extensions from random developers that require too much permissions. It is okay to install well-known extensions (especially open-source ext.) with clear privacy policy from trustworthy developers even if they require very invasive privileges.
     
    Last edited: Nov 15, 2020
  9. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
  10. seti

    seti Registered Member

    Joined:
    Oct 10, 2016
    Posts:
    10
    Location:
    california
    The letter that my bank sent me didn't ask me anything related to type of browsers or any addon extensions and I never mentioned anything to them. It's been several months I can't remember what they asked me except the common questions like, did I lose my card or did I give my card to anyone, etc. After the incident happened, I thought to myself why me or how it happened even though I had the "recommended firefox security addons" plus hosts file with linux, straight open source, and I still got hacked. So basically all these security tools couldn't prevent the hack. It was obvious that since I shop online a lot with firefox the hack was most likely through the internet and I shop mostly on 2 major sites only. My bank told me they used a machine to withdraw money, but the type of machine I don't know. I saw multiple withrdrawals from random people with indian names. I was lucky they didn't get into my savings account. Only my debit card which I used most of the time was compromised.

    No one in my family uses firefox extensions except me and they shop online a lot especially with their phones. If you do use addons, I recommend it for seperate profile and not for online purchases. I thought having them on were making me safer but now I think they actually increase the risk, just my experience. And I can't provide proof that I was hacked through firefox addons. But it seems pretty clear to me now that it's possible. https://support.mozilla.org/en-US/questions/1225776
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.