|
|
|
|
|
|
by mcovey
4136 days ago
|
|
|
I'm not sure how this will bode for my own extension, which I maintain for my own private use to do whatever comes to mind, like redirecting certain pages, applying userscripts and css files, and some other customization. Also I wouldn't have tried out all the spiffy new ES6 features that Firefox supports except that I can freely use them because it can only run in Firefox anyway. One thing I did realize in learning how to make these extensions is that, unlike with Chrome, Firefox extensions can do anything any other executable file on your computer can do, or at least, they can move, delete, edit, and rename any file anywhere on the hard drive, spawn any process, download anything and save it, so effectively all a malware author has to do is make the extension's install hook download their payload and execute it. It's a one liner to wipe out your $HOME (I have no idea if it will work I'm not going to try it!): require("sdk/system/child_process").spawn("/bin/rm", ["-rf", "~/*"])
I'm expecting/hopeful that there will be some kind of about:config flag to disable enforcing signed packages, it just seems typical of Mozilla to include such a feature for power users. |
|
|