Can Firefox add-ons read your passwords?


As far as I understand, some Firefox add-ons can read all data that you enter in a field on a webpage.

See also Firefox addon asks for permission to access data for all websites. Is it possible for this addon to steal my gmail password? | Firefox Support Forum | Mozilla Support

Now I am wondering, would it be possible for such a Firefox add-on to read the password/passphrase that you enter in the Duplicati 2.0 GUI.


Welcome to the forum @fredtb

Keeping in mind that you have to grant it permission, I would assume so. The GUI is just a web page.
and Permission request messages for Firefox extensions discusses the sorts of things you can grant.
Below is Duplicati Passphrase source. I don’t think there’s anything special, but I’m not a GUI expert.

Thank you @ts678

Since, as it seems, one or more third parties may be able to read your passwords when using Duplicati 2.0, I think I will keep on using Duplicati 1.3.4.

IMHO this is very paranoid stuff: you don’t use firefox with web mail, web forums, home banking?!? It’s the same thing… obviously a malicious extension could be stolen your passwords and the passwords of other extension users around the world.

Anyway, you can create a new profile without extensions and use it only to configure the scheduler.

If you forgot what you granted, go to the Add-ons section, which lists all the permissions you granted.

Tips for assessing the safety of an extension gives tips on keeping bad stuff out (always a good idea).

Extensions in Private Browsing might be another option – just keep all the extensions turned off, like:

Starting in Firefox version 67, you will be able to decide which extensions will run while you are in private browsing.

Your choice, of course. Keep in mind that it’s not supported. Note also that my comments apply to the recent versions of Firefox. If you’re hanging onto an old Firefox too, it’s far worse, and has other bugs.

Don’t install addons you don’t trust. If you did have such an addon, you’d have to worry about anything you used with your web browser - not just Duplicati.