Caution: installing Firefox Add-ons

While Firefox is gaining popularity every day, the number of extensions (called Add-ons as of version 2.0) is exploding as well.

This is nice, in general, but there’s a downside as well. It is very easy to write all kinds of obnoxious add-ons, including spyware and other malware and disguise these as some innocent looking enhancement. I thought it were just a matter of time until some creep starts making such an extension.

And indeed, I just stumbled over a long thread on mozillazine, What to do about Junk Firefox Ad-Ons, covering exactly this subject.

What to do?

Ideally, you should decompress every extension (an .xpi is just a zip file) and inspect all active content: javascript, and – beware – binary executables like .dll/.so and .exe components. In case of doubt: don’t install!

Also, extensions can be signed by their creators. This guarantees that the extension has not been tampered with in between. Hardly any extension is being signed, however.

Luckily, the folks from addons.mozilla.org (AMO) have to approve any uploaded extension before it is published. They are aware of the problem and have taken action against a bunch of doubtful extensions.

For that reason I uploaded my Microsummary Generator Builder extension to AMO – and got it approved. My recommendation: only download extensions from AMO and be really careful with other sources.