Mozilla announced this week that all Firefox extension developers must enable two-factor authentication (2FA) for their accounts. “From the beginning of 2020, extension developers will need to enable 2FA on AMO (addons.mozilla.org),” Caitlin Neiman, Mozilla Extension Community Manager, wrote on the official blog. “This is to prevent malicious attackers from controlling legitimate extensions and their users.”
When this happens, hackers can use the developer’s account to send infected extension updates to Firefox users. Attackers can also use corrupt extensions to steal passwords, authentication/session cookies, monitor users’ browsing habits, or redirect users to phishing pages or malware download sites, and more. These types of events often fall under “supply chain attacks”. When this happens, end users cannot detect whether the extension update is malicious, especially when the infected update comes from the official Mozilla AMO, a source that all Firefox users consider safe.
Two-factor authentication (2FA) adds another step in the login process to prove the user’s true identity. This can add a layer of security to the account. There have been no cases of hijacked AMO accounts targeting Firefox extensions in recent years. Nevertheless, there have been many cases of attack on Chrome extensions. Developers of Chrome extensions often tackle attacks from phishing emails. These hackers usually try to access Chrome’s Web Store account.
Generally, this type of attack is mainly targeted at Chrome extension developers. This is because Chrome browsers have a 65% -70% market share. Only 10% of Firefox is relatively less attractive to attackers. However, Mozilla is wary enough to take preemptive action. Mozilla advises that users can follow the instructions at support.mozilla.org to enable two-factor authentication (2FA) for their account before the new rules take effect.