Can Firefox add-ons read your passwords?


As far as I understand, some Firefox add-ons can read all data that you enter in a field on a webpage.

See also Firefox addon asks for permission to access data for all websites. Is it possible for this addon to steal my gmail password? | Firefox Support Forum | Mozilla Support

Now I am wondering, would it be possible for such a Firefox add-on to read the password/passphrase that you enter in the Duplicati 2.0 GUI.


Welcome to the forum @fredtb

Keeping in mind that you have to grant it permission, I would assume so. The GUI is just a web page.
and Permission request messages for Firefox extensions discusses the sorts of things you can grant.
Below is Duplicati Passphrase source. I don’t think there’s anything special, but I’m not a GUI expert.

Thank you @ts678

Since, as it seems, one or more third parties may be able to read your passwords when using Duplicati 2.0, I think I will keep on using Duplicati 1.3.4.

IMHO this is very paranoid stuff: you don’t use firefox with web mail, web forums, home banking?!? It’s the same thing… obviously a malicious extension could be stolen your passwords and the passwords of other extension users around the world.

Anyway, you can create a new profile without extensions and use it only to configure the scheduler.

If you forgot what you granted, go to the Add-ons section, which lists all the permissions you granted.

Tips for assessing the safety of an extension gives tips on keeping bad stuff out (always a good idea).

Extensions in Private Browsing might be another option – just keep all the extensions turned off, like:

Starting in Firefox version 67, you will be able to decide which extensions will run while you are in private browsing.

Your choice, of course. Keep in mind that it’s not supported. Note also that my comments apply to the recent versions of Firefox. If you’re hanging onto an old Firefox too, it’s far worse, and has other bugs.

Don’t install addons you don’t trust. If you did have such an addon, you’d have to worry about anything you used with your web browser - not just Duplicati.

Thanks for your replies.

Initially it was my plan to use (in the Duplicati 2.0 GUI) a for me important password/passphrase that I know by heart. But now I realize, in my case its better to create a new password for the backup, and store that password in, for example, a Keepass file, and store that Keepass file next to the files of the backup.

With the above strategy, I think I dare to use Duplicati 2.0, because it is not a big disaster to me, if the password that I use in Duplicati 2.0 GUI is being read by a third party.

Absolutely - it’s best practice to use a unique, strong password for each service. Reusing passwords is a bad idea in general.

Edit to add: I’m not sure what backend you are using, but if it’s remote storage you probably have user/password authentication at that level, as well. That password should definitely be different from your encryption passphrase. If someone were to steal your computer, you could then just change your storage authentication to prevent access to the backup data.

I use keepass in this way and for me is very comfortable! furthenmore I had included in the db the backup configuration file, so in a disaster recovery scenario it’s necessary only reimport the configuration to have access to the data (of course I have many copies of this db and it is not included in the backup job).