FF addons & Security

[AnomalyNexus]

Are there any kind of security mechanisms in place to prevent malicious code being published via firefox addons.

e.g. I'm internet banking. How do I know that the new addon I'm testing isn't stealing login details?

Is there any kinda of code review in place or is it just based on happy go lucky faith?

If yes, then whats the command line command for FF to temporarily start it without addons?

 

[LazyLion]

Install the no-script add-on!

 

[mercurial]

You can run it in Safe Mode if you want. I'm pretty sure the add-ons get tested by Mozilla or by most people and if there is something fishy, they will remove it. I've seen add-ons being removed before. And yes, install the No-Script add-on. It's awesome and also a bit annoying

 

[AnomalyNexus]

Install the no-script add-on!

No man. I'm talking about the code in the .xpi file of the addons themselves.

add-ons get tested by Mozilla or by most people and if there is something fishy, they will remove it.

To catch anything they would have to look at the code itself and given the volume they are dealing with I doubt that is happening.

e.g. addon contains some basic self-modifying code that un-XORs the attack code + a time limit that only activates the unXORing in March. That would easily pass a cursory
non-source inspection and I don't think it would be difficult to implement. *shivers*

/off to investigate safe mode.

 

[AnomalyNexus]

Update on this:

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users.

MO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned

So I guess they don't have access to the source & rely on AV scans. That kinda sucks.