The following guide offers tips and instructions for staying safe when you download extensions for the Mozilla Firefox web browser.

The past year has been eventful for users of the Firefox web browser. Mozilla introduced features such as multi-process support or Firefox Quantum that moved the browser closer to the all-powerful Google Chrome browser.

Mozilla dropped the old add-on system of Firefox and replaced it with WebExtensions. WebExtensions is the same system that Google Chrome and other Chromium-based browsers support. Mozilla’s plan was, however, to extend the capabilities of WebExtensions further than what Chrome supported.

Firefox WebExtensions have access to features that can make them more potent than their Chrome counterparts.

One of the reasons that Mozilla offered for switching to WebExtensions was that classic add-ons had too much control over the browser. WebExtensions limit what developers can do which benefits security and stability of the browser.

A look over to Chrome’s Web Store for extensions shows, however, that WebExtensions may still be abused to spy on users, steal data, or abuse user devices in other ways.

Staying safe when downloading Firefox add-ons

AMO, Add-ons Mozilla Org, is the primary hub for Firefox extensions. It is the official extension directory, and users may use it to browse, search for and install browser extensions.

The store lists classic add-ons and WebExtensions currently. Mozilla announced plans in 2017 to remove traditional add-ons from the Store after Firefox ESR hits version 60. Firefox ESR is the only official Firefox version right now that supports legacy add-ons. The next version of the extended support release will end that.

Automatic and manual approval of extensions

Mozilla changed the extension submission system on Mozilla AMO. The organization verified each add-on manually in the past before allowing it to become available on AMO. The new system runs automated checks and adds any extension that passes these to the store.

This is the same system that Google users for Chrome extensions. Mozilla will check add-ons manually eventually but only after the fact. That’s different to how Google handles things and improves security.

There is no manual verification indicator on the site right now which means that you don’t know if an extension was reviewed manually.

Crypto-mining extensions slipped passed the automatic review process already, and while the situation is arguable a lot better than on Chrome’s Web Store, there is a chance that problematic extensions may end up on AMO.

So, what can you do about it?

  • If you have the skills, verify extensions yourself. Download the extension to your local system, extract the XPI file, and go through the code.

If you cannot do that, you may use the following methods to reduce the chance of installing problematic extensions:
  • Don’t install extensions directly when they are made available. You increase the likelihood that an extension was reviewed by Mozilla if you wait a couple of days.
  • Check the permissions. Do they match the purpose of the extension?
  • Read the user reviews and check general stats (rating, number of users, add-on history). Extensions with good ratings, lots of installs and good reviews are better than extensions with no reviews, no ratings, and no comments. This is not a 100% safeguard either. Hackers managed to take over Google accounts of Chrome developers in the past to upload manipulated new versions of trusted extensions to the Store.
  • Check the developer profile. Developers who maintain multiple extensions and maintained extensions for a long time are more trustworthy.

Closing Words

Don’t get me wrong. I’m not advocating that Firefox users should not install add-ons anymore. Firefox users need to be aware of the dangers of the new review system. It is easy enough to see how bad things can become by looking at the situation over on Chrome’s Web Store. Mozilla’s system is still better than Google’s. The organization should consider adding a visible flag to extensions that have not been reviewed manually yet.