Secure storage Firefox Add-on?

Question

From what I understand about Firefox add-ons, the idea of a malicious Firefox add-on is not part of its threat model. In that, it offers no security in the case that a Firefox add-on wants to steal information from the user's browser. This is compared to other browsers like Chrome which sandboxes the different extensions.

If this is true, my question is how do you recommend doing some kind of secure storage for a firefox add-on? Can add-ons just access the information of other add-ons like that? Take a password manager that stores a copy of a user's password.

My thought was related to some kind of key derivation function that would prompt the user to enter their credentials in order to unlock the information.

EDIT: Also wondering how the Mozilla SDK API addresses these issues: https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/simple-storage

Answer 1

You are correct, Firefox add-ons run with the same privileges as the application itself meaning that creating security barriers is far from trivial (neither is it trivial with Chrome extensions but in a more subtle way).

The closest thing to a secure data storage is the login manager - if the user defined a master password then the data stored there is encrypted. Any Firefox extension can read the file where the passwords are stored but decrypting it without knowing the master password is currently considered impossible. The weak point here is the password prompt:

• In order to make these password prompts less annoying the prompt only shows up once. After that any extension can access the data without triggering a new prompt.
• An extension can easily fake a master password prompt along with a plausible reason why it appears - social engineering attacks like this one rarely fail.
• But the extension doesn't even have to become active, it can simply wait for the password prompt to appear on its own. And then all it has to do is remembering the password that was entered.

And there is your dilemma: your extension can encrypt the data to make it harder to retrieve. However, you still need to query the user for the password which provides an attack point for malicious extensions - this password prompt has to happen out of the reach of the malicious extension. And even if you manage to do that, a malicious extension can in theory simply replace your extension by a manipulated copy that will send off data once the password is entered.

To sum up: no, you are in no position to fight malicious extensions. The minute a user installed a malicious extension you've lost already. Then your only option is running a service with administrator privileges that will manage the data, out of reach for Firefox extensions and Firefox itself. And even then you still need to figure out how to use that data in such a way that it cannot be intercepted by a malicious extension.

That's exactly the reason why all extensions on addons.mozilla.org have to go through a review process and installing unreviewed extensions is strongly discouraged.

Answer 2

Just wanted to note that Chrome storage isn't secure either, just somewhat restricted when it comes to one extension trying to access data of other extensions. (And since this got a bit too long for a comment, make it an answer).

• Other processes usually are able to access Chrome user data just fine and that includes extension data and any sensitive stuff you put in there, such as passwords.
• Chrome extensions might also access (and therefore steal) a lot Chrome user data mostly hassle-free, such as cookies/localStorage...
• Chrome extensions might intercept requests (chrome.webRequest) and pull out data from requests directly or tamper with the requests.
• Or perform more advanced social-engineering/phishing-attacks to get the user to run a full-blown piece of malware that then completely pwns the system and all data on it. Like replacing software download links in legitimate sites, or use chrome.downloads...

So a Chrome extension/the Chrome sandboxing does not protect your data from full-blown malware and does only somewhat protect your data from Chrome extension malware.