Firefox Passwords: Add-on Security

TL;DR

Generally, Firefox add-ons cannot directly access your saved passwords in decrypted mode due to security restrictions. However, there are exceptions and risks. Modern Firefox versions have significantly improved password protection, but older add-ons or malicious ones could potentially pose a threat. Always review the permissions an add-on requests before installing it.

Understanding How Firefox Stores Passwords

Firefox stores your passwords using strong encryption. Here’s a breakdown:

• Master Password: If you set one, this encrypts your saved logins.
• Encryption Algorithm: Firefox uses robust algorithms (like AES) to protect the password data itself.
• Login Data Database: Passwords are stored in a database file (signon.sqlite).

Direct access to this database requires specific permissions and is heavily restricted.

Why Add-ons Can’t Easily Access Decrypted Passwords

1. Sandboxing: Firefox add-ons run in a ‘sandbox’, limiting their ability to interact with the core browser functionality, including password storage.
2. API Restrictions: The APIs (Application Programming Interfaces) available to add-ons are designed to prevent direct access to sensitive data like passwords. Add-ons typically use APIs for specific tasks like creating new logins or filling in forms, but not for reading decrypted passwords.
3. Permissions System: Firefox requires add-ons to explicitly request permissions to access certain features. Accessing password storage is a high-level permission that users must grant consciously.

Potential Risks and Exceptions

1. Older Add-ons: Add-ons built before stricter security measures were in place might have more permissive access. Avoid using outdated add-ons.
2. Malicious Add-ons: A compromised or intentionally malicious add-on could attempt to exploit vulnerabilities to gain unauthorized access. This is why reviewing permissions and the developer’s reputation is crucial.
3. Browser Extensions with Native Code: Some extensions use native code (code outside of JavaScript) which can bypass some sandbox restrictions, increasing potential risk.
4. Password Managers as Add-ons: Legitimate password manager add-ons do need access to your passwords, but they should be from trusted sources and follow strict security guidelines. They typically use the Firefox Password Management API correctly.

How to Check Add-on Permissions

1. Open Add-ons Manager: Type about:addons in your Firefox address bar and press Enter.
2. Select the Add-on: Click on the add-on you want to review.
3. View Permissions: Look for a ‘Permissions’ section (or similar). This lists what the add-on is allowed to do. Be wary of add-ons requesting broad or unnecessary permissions, especially those related to browser history, tabs, and data storage.

Protecting Your Passwords

1. Use a Strong Master Password: If you don’t already have one, create a strong, unique master password for Firefox.
2. Keep Firefox Updated: Updates often include security patches that address vulnerabilities.
3. Review Add-ons Regularly: Periodically check the add-ons you have installed and remove any you no longer need or trust.
4. Use a Reputable Password Manager: Consider using a dedicated password manager (like Bitwarden, 1Password, or LastPass) for enhanced security features.

Technical Details (For Advanced Users)

The Firefox Password Management API provides methods like:

• signon.manager.getPasswordLogin(realm, username): Retrieves a password login by realm and username. This does not return the decrypted password directly; it returns an object with encrypted data.
• signon.manager.addLogin(loginInfo): Adds a new password login.

Add-ons cannot bypass these APIs to access raw, decrypted passwords.