Mozilla: Firefox Add-On Developers Must Use 2FAEnhanced Authentication Could Help Beef Up Security of the Supply Chain
To help enhance security, Firefox extension developers will be required to set up their accounts to support two-factor authentication beginning early next year, Mozilla, the open source community that supports the browser, has announced.
Extensions, or add-ons, are small apps integrated with a browser that add on to the functionality. These could be something as simple as a weather app or something more complex, such as a password management extension.
Add-on developers typically have some limited access to the browser vendor’s infrastructure through a developer account. In a number of instances in the last few years, attackers were able to compromise a developer’s account on one of these systems or subvert it in some other way in order to add malicious code to the extension or replace it with something similar, but malicious.
Accounts on addons.mozilla.org, or AMO, are integrated with Firefox accounts, enabling users to manage multiple services from one login.
In a blog addressing extension developers, Caitlin Neiman, Add-ons community manager at Mozilla, writes: “To prevent unauthorized people from accessing your account, even if they obtain your password, we strongly recommend that developers enable two-factor authentication as it adds an extra layer of security to the account by adding an additional step to the login process to prove you are who you say you are.”
Two-factor authentication will not be required for submissions that use AMO’s upload API.
“Before this requirement goes into effect, we’ll be working closely with the Firefox accounts team to make sure the 2FA setup and login experience on AMO is as smooth as possible,” Neiman writes. “Once this requirement goes into effect, developers will be prompted to enable 2FA when making changes to their add-ons.”
Mozilla’s Firebox is the fourth most popular web browser worldwide, with about 17 percent market share, according to Statista.com.
Security of Supply Chain
The move is part of the growing movement among software and hardware companies to shore up the security of the supply chain. Concerns about malicious insiders or skilled attackers being able to compromise a link in the software or hardware supply chain have grown in recent years as manufacturing and research and development operations have become much more distributed and difficult to keep tabs on, reports Duo.com.
Practitioners say the supply chain security has become a serious concern for enterprises and government agencies in the United States as more and more devices and their various components are manufactured and assembled overseas, making it difficult to gain visibility into the integrity of the manufacturing process. Recently, public and private sector cybersecurity officials have expressed concerns about the ability of organizations to identify suspect suppliers and share that information with peers and colleagues without fear of reprisal.
“Information about suspect suppliers cannot be freely exchanged when enterprises are subject to a variety of legal actions, including violations of federal or state anti-trust laws, anti-competitive behaviors or deceptive trade practices,” says Robert Mayer, senior vice president of cybersecurity at the United States Telecom Association.
Prakash Kumar Ranjan, senior manager-IT and information security audit at Airtel Payments Bank in India, supports Mozilla’s move to two-factor authentication for add-on developers because end users have no way of detecting if any add-ons update is malicious.
“Since Mozilla add-ons have a privileged position inside the browser, an attacker can use a compromised add-on to steal passwords, authentication or session cookies, spy on a user's browsing history and habits, or even redirect users to phishing pages or malware download sites,” Ranjan says.
In his blog, Neiman describes a two-step process that add-on developers must use to enable two-factor authentication.
Neiman also writes that developers should Download or print recovery codes and keep them in a safe place in case they lose access to your authentication application.
“If you ever lose access to your 2FA devices and get locked out for the account, one will need to provide one of the recover codes to regain access,” Neiman writes. “In addition, misplacing these codes can lead to permanent loss of access to the account and the extensions in AMO.”
Ranjan of Airtel notes: “Security teams need to enforce secure coding practices and using Static Application Security Testing and Dynamic tools for checking the security parameters of the source code,” says Ranjan.