Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.

FLYNAX Auto Classifieds – Latest version plus add-ons (Stripe/Facebook/Coupons)

I purchased this script for a project but didn't end up using it. Would like to sell to recover some of the losses. Asking $ 100. Comes with the Stripe add-on, the Facebook Connect add-on and the Coupon add-on. Also comes with a bunch of plugins that I will have to email to you once you have made the purchase.

Why does Firefox keep offering “unreputable” add-ons and add-ons that they don’t even review?

When I install an add-on to Firefox, choosing it from the ones I find by using the Tools / Add-ons menu, sometimes after a few days Avast pops up a warning that the add-on is “unreputable” and strongly recommends and offers to remove it.

Of course malicious add-ons could potentially steal my passwords, intercept anything I type in that browser and do horrible things in general, so when I see such warnings I don’t think twice and I just remove the add-on, but it’s becoming too frequent and annoying, and it surprises me a lot that apparently Avast knows so much better than Mozilla about unreputable Firefox add-ons.

If Avast discovers malice in an add-on and lets the world know and even offers to remove it, why at the same time Mozilla happily keeps offering the add-on for long time? I had some that Avast recommended me to remove many months ago and are still offered in FF. Mozilla might even offer add-ons that were never checked at all, see this answer, but how is that possible if add-ons are potentially so dangerous? I’m also curious about how common successful attacks via FF add-ons are.

Also because if it’s so common that FF add-ons that keep being offered in FF are unreputable, I would have a good deal of worrying to do for the past, because I kept “unreputable” add-ons installed for a while before Avast found them.

Firefox 66.0.3 (64-bit) addons broken

Ive used Firefox for years, but in a recient update, Firefox Quantum, disabled all of my Firefox addons. The addon page in Firefox shows a link to a Firefox help page that states the reason. “Only extensions built using WebExtensions APIs will work. .” At the bottom of the page it gives a work around. Set; xpinstall.signatures.required to false in about:config. I was able to reinstall one addon, Video DownloadHelper, but the rest I try to reinstall gives me a message in a red box, Download failed. Please check your connection. Is there something else I can do before I try a different browser?

Dell Optiplex 7040, Ubuntu 18.1, Firefox 66.0.3 (64-bit)