This article originally appeared in Information Security Buzz on May 5, 2019.
Mozilla is changing its policies and have let developers know that they will be blocking all Firefox add-ons that contain obfuscated code in an effort to clean out malicious third-party code.
Usman Rahim, Digital Security and Operations Manager at The Media Trust:
“Paying closer attention to the risks that third-party code suppliers pose is an important step in the right direction. However, Mozilla should clarify a few potential issues:
– First, where do Mozilla and Google, which has introduced a similar policy, draw the line on obfuscation? Most if not all developers at least slightly obfuscate code in order to protect it from unauthorized appropriation, whether to protect their invention from copycats and attackers
– Related to this, how will they evaluate the safety of all submitted code—in short, what is their process? This is important because bad actors are also known to eschew obfuscation to make their code appear legitimate and harmless.
– Finally, why will Mozilla block the extension only after the user installs it rather than before?”