I just figured this out and am embarrassed I did not know this sooner. I have lots of privacy extensions like privacy badger, ublock origin, canvasblocker, cookie autodelete, decentraleyes, https everywhere and more. All of these have the permission: Access your data for all websites The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords. These authors cannot be trusted with this data especially our usernames and passwords.
Wait a minute, can they even grab your username and passwords? I didn't really know about this, and yes, it's crazy if true. Why didn't browser developers already solved this problem? I do know that SpyShelter was capable of blocking extension based keyloggers on Firefox.
First Firefox wants to reduce extension rights(with the new extension model) and people complain that extensions become to limited, and now they want even less rights for extensions. You can't have both. Bottom line, don't run stuff you don't trust.
I feel the same way. I used all the above extensions including noscript as you mentioned running on linux and recently my debit card got hacked online and several hundred dollars were stolen, but I got my money back from my bank since it was an obvious fraud case and I didn't know or have any relations with the persons involved. Ever since that happened I removed all of my extensions. If they wanted to get you they'll get you and it doesn't matter what you have.
A disturbing incident, seti. Were you, by any chance, able to connect the fraud to having used one or more of the extensions you and others mentioned?
This thread is ridiculous. Extensions need permissions/privileges to do their job. It's like complaining that antivirus installation needs to be done on Administrator account or other belonging to Administrators group and you need to accept that UAC prompt. uBlock Origin needs to read and modify webpage for filtering according to blocklists and block access to some url in order to remove ads, tracking scripts and sometimes even malicious scripts. Don't install random extensions from random developers that require too much permissions. It is okay to install well-known extensions (especially open-source ext.) with clear privacy policy from trustworthy developers even if they require very invasive privileges.
Tips for assessing the safety of an extension | Mozilla Support Then: To view a list of extensions officially endorsed by Mozilla through the Recommended Extensions program, click here.
The letter that my bank sent me didn't ask me anything related to type of browsers or any addon extensions and I never mentioned anything to them. It's been several months I can't remember what they asked me except the common questions like, did I lose my card or did I give my card to anyone, etc. After the incident happened, I thought to myself why me or how it happened even though I had the "recommended firefox security addons" plus hosts file with linux, straight open source, and I still got hacked. So basically all these security tools couldn't prevent the hack. It was obvious that since I shop online a lot with firefox the hack was most likely through the internet and I shop mostly on 2 major sites only. My bank told me they used a machine to withdraw money, but the type of machine I don't know. I saw multiple withrdrawals from random people with indian names. I was lucky they didn't get into my savings account. Only my debit card which I used most of the time was compromised. No one in my family uses firefox extensions except me and they shop online a lot especially with their phones. If you do use addons, I recommend it for seperate profile and not for online purchases. I thought having them on were making me safer but now I think they actually increase the risk, just my experience. And I can't provide proof that I was hacked through firefox addons. But it seems pretty clear to me now that it's possible. https://support.mozilla.org/en-US/questions/1225776