Mozilla is planning to require developers of extensions for Firefox to use two-factor authentication on their developer accounts to help defend against attacks that seek to compromise legitimate extensions.
The move is part of the growing movement among software and hardware companies to shore up the security of the supply chain. The concerns about malicious insiders or skilled attackers being able to compromise a link in the software or hardware supply chain are not new, but they have become more and more prevalent in recent years as manufacturing and research and development operations have become much more distributed and difficult to keep tabs on. Historically, much of the concern around supply chain security has focused on hardware devices, as they typically involve multiple manufacturers, suppliers, and distributors, so there are more opportunities for malicious actors to compromise a device.
But the security of the software supply chain has become more of a focus as high-profile incidents involving compromised products and updates have come to light. Although many software products are developed by relatively small teams, often within the same organization, browsers such as Firefox present a unique challenge for addressing supply chain threats. Though the browsers are developed by professional in-house teams, they all allow third-party extensions that are written by outside developers. Mozilla’s move is a way to get a better handle on the security of the accounts those extension developers use to access the company’s system for extension developers, addons.mozilla.org (AMO).
“Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users. 2FA will not be required for submissions that use AMO’s upload API,” Caitlin Nieman, add-ons community manager at Mozilla, said.
“Before this requirement goes into effect, we’ll be working closely with the Firefox Accounts team to make sure the 2FA setup and login experience on AMO is as smooth as possible. Once this requirement goes into effect, developers will be prompted to enable 2FA when making changes to their add-ons.”
Add-ons, or extensions as they’re referred to in other places, are small apps integrated with a given browser that extend or add on to the functionality of that browser. It could be something as simple as a weather app or something more complex, such as a password management extension. Add-on developers typically have some limited access to the browser vendor’s infrastructure, through a developer account. There have been a number of instances in the last few years in which attackers were able to compromise a developer’s account on one of these systems or subvert it some other way in order to add malicious code to the extension or replace it with something similar, but malicious.
The addition of 2FA for add-on developer accounts puts an extra, rather high hurdle in the way of an attacker who may be targeting a specific developer’s account.