Firefox add-ons with obfuscated code will be banned by Mozilla

In order to protect Firefox users from malicious add-ons, Mozilla has banned extensions that contain obfuscated code.

Caitlin Neiman, Add-ons Community Manager at Mozilla, said in a blog post on Thursday that the new policy will go into effect on 10 June.

Here’s the gist of that new policy:

We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.

If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.

And here’s a link to the add-on policy in full.

Blocking, also called “blocklisting,” add-ons that contain obfuscated code means disabling them in the browser after the user installed them, Neiman explained.

Extensions that violate Mozilla’s policies will face the wrath of a newly proactive Mozilla, Neiman said:

We will be casting a wider net, and will err on the side of user security when determining whether or not to block.

Neiman said that Mozilla will also keep on blocking extensions that intentionally violate its policies or that have critical security vulnerabilities, or that compromise user privacy or skirt user consent or control. Other unexpected “surprises” that Mozilla doesn’t want to see (without a clearly worded opt-in and clearly stated name of what add-on is asking for what) include extensions that change default settings, such as the new tab page, homepage or search engine; extensions that make unexpected changes to the browser or web content; or ones with features or functionality not related to the add-on’s core function(s).

Let’s keep that browser predictable

After all, surprises are fun when they pop out of birthday cakes, but not coming from an extension, Mozilla says:

Surprises … are not welcome when user security, privacy and control are at stake. It is extremely important to be as transparent as possible when submitting an add-on. Users should be able to easily discern what the functionality of your add-on is and not be presented with unexpected user experiences after installing it.

Mozilla’s got some history behind this new no-obfuscation policy.

In August 2018, it axed 23 add-ons, following a report that a security add-on was up to funny business. Mozilla had highlighted that add-on in a blog post promoting a collection of security-focused extensions to the browser. But when curious techies picked apart the program to find out exactly what it was doing, they discovered that it was assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address.

On further examination, Mozilla engineer Rob Wu found 22 other browser extensions in the Firefox portfolio that were also up to no good: one group that was sending browsing information to a remote server that could potentially launch a remote code execution attack on the client, and a second group that didn’t collect URL information but were still able to launch a remote code execution attack on the client.

That code was heavily obfuscated, Wu said at the time.