Alternative extension with restricted permissions

[rruizt]

Hello,

Right now this extension requires "Access your data for all websites" permission. I understand why this is used and I agree reading QR codes from the screen is useful, but I consider it too risky to use.

I understand that this extension going rogue would mean that the attacker could get the login information together with the TOTP token. Am I correct?

It would be nice to have an alternative extension (maybe a fork: Authenticator-lite?) that would only allow you to introduce the shared secret as plain text but it doesn't require any additional permissions.

Thank you for your work!

[Sneezry]

Hi @rruizt , do you use Chrome or Firefox or other browser?

[rruizt]

Hello!

I use Firefox.

[Sneezry]

@mymindstorm Could you explain why we ask for <all_urls> permission on Firefox? I remember there was a tech block issue, and we did that for a workaround. Also, is it possible to make <all_urls> an optional permission?

[mymindstorm]

Firefox doesn't implement activeTab, so you have to use <all_urls>. MDN
Requesting permissions from extension popups is broken in Firefox. Bugzilla

I understand that this extension going rogue would mean that the attacker could get the login information together with the TOTP token. Am I correct?

Yes, that is correct but unlikely for a few reasons:

1. AMO reviewers review source code periodically.
2. Authenticator doesn't (and will never) load any external code, so the only way outside of a vulnerability for it to become compromised would be for a malicious update to be released.
3. CSP is enforced.

There are a few workarounds that you could use:

• Verify that a release is not malicious and disable auto-updates.
• Fork and remove the <all_urls> permission from the manifest and use your own build of the extension.

[jonathan-reisdorf]

Hi 👋 Is the answer still up-to-date? I see that the Firefox bug has been closed in Bugzilla. Perhaps there's now a way to work with less permissions? Thanks!

[mymindstorm]

The permissions that would be requested by that are not that important and I can't release a version that uses permission popups until firefox 75 is in ESR.

[geekley]

I can't release a version that uses permission popups until firefox 75 is in ESR.

@mymindstorm Is it possible now?

[mymindstorm]

I can't release a version that uses permission popups until firefox 75 is in ESR.

@mymindstorm Is it possible now?

It should be!