|
|
|
|
|
|
by mimimi31
1833 days ago
|
|
|
I have a hard time imagining how they enforce that. What keeps a malicious program from replicating the exact changes that Firefox makes when installing an extension? What about just replacing the whole profile folder with one that has a malicious extension installed? >Firefox has absolutely mandatory code signing for extensions That helps I guess, but there are clearly still malicious extensions that can pass the automated tests and get signed. Even if that wasn't possible, you could probably use some userscript extension and load malicious scripts that way. |
|
|
I obviously haven't spent time trying to break this, but I would assume the config file is hashed. You probably could replace the whole profile, but that would be very noticeable to the user.