Mozilla announced this week that all developers of Firefox add-ons must enable a two-factor authentication (2FA) solution for their account.
“Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal],” said Caitlin Neiman, Add-ons Community Manager at Mozilla.
“This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users,” Neiman added.
When this happens, hackers can use the developers’ compromised accounts to ship tainted add-on updates to Firefox users.
Since Firefox add-ons have a pretty privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication/session cookies, spy on a user’s browsing habits, or redirect users to phishing pages or malware download sites.
These types of incidents are usually referred to as supply-chain attacks.
When they happen, end users have no way of detecting if an add-on update is malicious or not, especially when a tainted update comes from the official Mozilla AMO — a source considered secure by all Firefox users.
Mozilla’s decision to force add-on devs to enable 2FA is the best course of action the browser maker could have taken to prevent future supply-chain incidents.
While there have been no known cases of AMO account hijackings for Firefox add-ons in recent years, there have been many cases of hijacked Chrome extensions.
Developers of Chrome extensions are under a constant barrage of phishing emails through which hackers try to gain access to their Chrome Web Store accounts. ZDNet documented one of these mass-phishing campaigns against Chrome extension devs last year, but we’re told they’re still going on today.
Such attacks primarily target Chrome extension devs because of Chrome’s 65%-70% browser market share. Firefox, with only 10%, is most likely a less attractive target to criminal groups; however, seeing Mozilla take pre-emptive actions is commendable.