Mozilla last week fired off an important memo to all Firefox extension developers telling them to turn on authentication (2FA) on their addons.mozilla.org (AMO) accounts.
This is a good move but also surprisingly late in the day.
Mozilla extensions have been around since not long after the browser appeared in 2004, and have been available to all Firefox users from 2014.
In 2018, the company added multi-factor authentication to accounts, with users able to choose from any one of a long list of Time-based One-Time Password (TOTP) authentication apps.
This, in effect, means that extension developers have been securing their accounts using only an email address and password for most of the browser’s existence.
It’s a glaring security weakness Mozilla has belatedly decided to plug. Mozilla’s Caitlin Neiman wrote:
Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users. 2FA will not be required for submissions that use AMO’s upload API.
Rogue extensions
Turning on better authentication is an inherently good idea but is there more to it than that? Extensions and add-ons can be used to target Firefox users in three ways:
- Criminals setting up legitimate accounts to spread rogue extensions.
- Criminals distributing rogue extensions from third-party sites and socially engineering Firefox users to install them.
- Legitimate developer accounts that get hacked to sneak malicious extensions into the official Firefox add-ons store.
The first of these has been a low-level issue since Mozilla moved from manual to a more automated review process in 2017 in an effort to speed up development. Rogues get pulled down quickly when the company detects them, but this is after the fact. The second has also been an occasional issue.
Perhaps mindful of similar incidents on Google’s Chrome store, Mozilla has finally ticked developer 2FA off its security to-do list.
So, a few weeks from now, logging into a developer account won’t be possible without 2FA – a big change for developers who perhaps don’t pay as much attention to their creations as they should.
That means they could, in theory, be locked out completely, which is why Mozilla recommends they print out recovery codes for such an eventuality.
2FA for everyone
More generally turning on 2FA for all your accounts that offer it is something everyone can do. Good security isn’t just something for developers.
If you’d like to learn more about two-factor authentication (2FA), we’ve got you covered:
(Audio player above not working? Download or listen on Soundcloud.)