Mozilla to force all add-on devs to use 2FA to prevent supply-chain attacks

New rule to enter effect starting next year, in 2020.

mozilla-to-firefox-users-heres-how-were-5da72643dc406100013edce7-1-oct-25-2019-19-28-12-poster.jpg

Mozilla announced this week that all developers of Firefox add-ons must enable a two-factor authentication (2FA) solution for their account.

"Starting in early 2020, extension developers will be required to have 2FA enabled on AMO [the Mozilla Add-Ons portal]," said Caitlin Neiman, Add-ons Community Manager at Mozilla.

"This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users," Neiman added.

When this happens, hackers can use the developers' compromised accounts to ship tainted add-on updates to Firefox users.

Since Firefox add-ons have a pretty privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication/session cookies, spy on a user's browsing habits, or redirect users to phishing pages or malware download sites.

These types of incidents are usually referred to as supply-chain attacks.

When they happen, end users have no way of detecting if an add-on update is malicious or not, especially when a tainted update comes from the official Mozilla AMO -- a source considered secure by all Firefox users.

Mozilla's decision to force add-on devs to enable 2FA is the best course of action the browser maker could have taken to prevent future supply-chain incidents.

While there have been no known cases of AMO account hijackings for Firefox add-ons in recent years, there have been many cases of hijacked Chrome extensions.

Developers of Chrome extensions are under a constant barrage of phishing emails through which hackers try to gain access to their Chrome Web Store accounts. ZDNet documented one of these mass-phishing campaigns against Chrome extension devs last year, but we're told they're still going on today.

Such attacks primarily target Chrome extension devs because of Chrome's 65%-70% browser market share. Firefox, with only 10%, is most likely a less attractive target to criminal groups; however, seeing Mozilla take pre-emptive actions is commendable.