Firefox add-ons ‘more difficult’ to hijack, Mozilla claims. But are they?

As we reported yesterday, Google had to address an issue with Chrome and tainted browser extensions “Add to Feedly” and “Tweet This Page” that began to spit out unwanted ads, prompting a backlash from users and banishment by Google. After such an incident, you might be concerned that other Web browsers, like Mozilla’s ultra-popular Firefox, could be susceptible to similar shenanigans, and perhaps rightly so.

If you ask Mozilla, however, that issue is not likely to crop up for Firefox users. Here whats a Mozilla spokesperson had to say when asked about the possibility of Firefox add-ons getting hijacked with ad-spamming code the way “Add to “Feedly” and “Tweet This Page” were on Chrome.

“For add-ons hosted on, all version updates are code reviewed and tested by a member of our review team, and it needs to pass all of our review policies to be pushed to users via auto-update,” Mozilla’s spokesperon said. “One such policy is that all unexpected changes, such as advertising, needs to be explicitly opt-in. This all makes it more difficult for this kind of hijacking to be effective for add-ons listed on Mozilla Add-ons.” 

According to though, Mozilla Firefox isn’t exactly bulletproof when it comes to add-on hijacks. indicates that one Firefox add-on dubbed Autocopy was developed, then sold to a company called Wips. Once Autocopy was acquired by Wips, it was then re-jiggered to include code containing ad generating instructions, thereby exploiting a Mozilla add-on approval loophole. 

It’ll be interesting to see what Google, Mozilla, and other heavyweight browser makers will do to ensure that tainted, reengineered browser add-ons don’t sully the web surfing experience for their users.

What do you think? Sound off in the comments below.

Update 1/28/14: A Mozilla rep reached out to us, offering this statement regarding Wips and AutoCopy.

“Version 1.0.8 of AutoCopy is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic. After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn’t pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and is what the majority of users have installed.”

Get our Top Stories delivered to your inbox: