Mozilla announced this week that all Firefox extension developers must enable two-factor authentication (2FA) for their accounts. “Starting in early 2020, extension developers will need to enable 2FA on AMO (addons.mozilla.org),” Mozilla Extended Community Manager Caitlin Neiman wrote in an official blog post. “This is to prevent a malicious attacker from controlling a legitimate extension and its users. “
When this happens, the hacker can use the developer’s account to send an infected extended update to firefox users. Attackers can also use infected extensions to steal passwords, authentication/session cookies, monitor users’ browsing habits, or redirect users to phishing pages or malware download sites, and so on. These types of events are often referred to as supply chain attacks. When this happens, end users cannot detect whether the extended update is malicious, especially if the infected update comes from the official Mozilla AMO, a source that all Firefox users consider to be a safe source.
Two-factor authentication (2FA) adds a layer of security to the account by adding additional steps to the sign-in process to prove the user’s true identity. Mozilla decided to force extended developers to enable 2FA to prevent possible supply chain attacks.
Although there have been no cases of AMO accounts being hijacked for Firefox extensions in recent years, there have been many cases of Chrome extensions being hijacked. Developers of Chrome extensions are often attacked by phishing emails that hackers try to access to their Chrome Web Store accounts.
Typically, such attacks are primarily targeted at Chrome extenders, who have a 65%-70% market share. Only 10% of Firefox is less attractive to attackers. However, Mozilla was alert enough to take a pre-emptive action.
Mozilla tells users to enable two-factor authentication (2FA) for their accounts before the new rules take effect, as described in support.mozilla.org.