Mozilla has warned developers that a phishing campaign is targeting the AMO (addons.mozilla.org). The browser maker has warned Firefox add-on developers to exercise caution when receiving emails that claim to be from Mozilla/AMO.
I have an account that I use for managing my add-on collections, and received an alert about the phishing campaign.
Mozilla says that the phishing email may state some variation of this, “Your Mozilla Add-ons account requires an update to continue accessing developer features.” Users are advised not to click on links in such emails, and to verify if the email passes SPF, DKIM, and DMARC checks.
Yet another reason why your favorite browser extension can place you at risk, even if they are trusted by the community.
So what is your solution? For example, should Firefox users just disable uBlock Origin, because this kind of threat exist or could it be possible that the benefits that some browser extensions offer are so significant that it is still worth using them?
I would argue that not using some browser extensions like uBlock Origin can put you at a bigger risk because you would then be running so many unnecessary and potentially malicious scrips on your browser that will end up increasing your attack surface more than installing the extension.
Solution is to reduce attack surface by minimizing unnecessary extensions. Obviously, I would never recommend people to not install uBlock Origin. If you need it, install it.
No one can deny that if the developers behind uBlock Origin gets pwned, millions of people can become compromised, however unlikely that is.
When you think about it, pretty much every extension is unnecessary these days.
LibRedirect? Just bookmark a few instances you trust then block the original domains through your own custom filters in uBlock Origin
SponsorBlock, DeArrow, Return YouTube Dislike, etc.? Just use Invidious or yt-dlp if you really need to watch YouTube videos.
Dark theme extensions? Use Firefox’s built-in dark mode (not compatible with resistfingerprinting though).
Vimium, Vim Vixen, Tridactyl? For the few people who think they can’t live without that, try Luakit (browser is still maintained but the website hasn’t updated since 2019, uses WebKitGTK which updates independently from Luakit).
Outside of my password manager, this is the only other extension I install. It’s great on my laptop that has a very very bad trackpad. And I’d rather not stray to a different browser just for that.
I tried Vimium before but Tridactyl worked better for me which unfortunately requires every single permission imaginable. It was a different experience but I tend to get things done quicker with a mouse instead of memorizing many keybindings for a text editor I don’t even use.
Also iirc (and this may have changed since I haven’t used it in a few years) Vimium defaults to Google search independent of your browser’s default search.