Firefox scraps extension sideloading over malware fears

Installation methods will need to be updated after 10 March 2020

Firefox offices

Support for sideloaded extensions in the Firefox browser will be discontinued from next year following concerns that the function could be exploited to install malware onto devices.

Sideloading is a method of installing a browser extension that adds the file to a specific location on a user's machine through an executable application installer. These are different from conventional add-ons, which are assigned to profiles, and are also available to download outside official Firefox channels.

From 11 February 2020, the Firefox browser will continue to read sideloaded files, but will copy these over to a user's individual profile and install them as regular add-ons. Then from 10 March, sideloaded extensions will be phased out entirely.

Mozilla argues that for some users it's difficult to remove sideloaded extensions completely, as these cannot be fully removed from Firefox's Add-ons Manager. This has also proved a popular method of installing malware, the firm said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager," said Firefox's add-ons community manager Caitlin Neiman.

"This mechanism has also been employed in the past to install malware into Firefox. To give users more control over their extensions, support for sideloaded extensions will be discontinued."

The transition period between February and March has been put in place to ensure that no pre-installed sideloaded extensions will be lost from users' profiles, given they will have been copied over as conventional add-ons.

Developers have also been urged to update install flows, and direct users to download extensions through either their own web pages or the Firefox Add-Ons hub.

One prominent example of malware installed via side-loading, albeit not on Firefox itself, was a Pokemon Go clone released in 2016 that allowed cyber criminals to gain full control to victims' smartphones.

Before Pokemon Go was available in Europe, the cyber criminals publicised a non-official version of the app that could be downloaded from sources beyond the Google Play Store.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020