Developer reply by Daniel Dawson
Rated 3 out of 5 stars
How do we know if we can trust the developer of these 'password' programs. If I was a hacker I'd write a password program and release it to the masses as a Firefox Add-on then make thousands stealing people's money.
My question is what is stopping people doing this?
Generally, trust is a valid concern. However, you need to understand some things. First, AMO is not a free-for-all. Addons and their updates are reviewed by random AMO editors before being published, and they are supposed to look for things like spyware, and they demand access to source code in all cases; thus, some of the trust is on them in addition to the authors. If you believe otherwise, see what happens if you submit your own spyware,* but don't blame me if you get banned for violating the TOS. Obviously it's no guarantee, and users are free to install sandboxed versions at their own risk, but it does help a lot.
Second, this addon is free and open-source, with no hidden or obfuscated code, and I even allowed viewing the code online (link near the bottom); if you are capable of reading it, please do so and find out for yourself (it's less than 1,000 lines, not counting the skin and locales); if not, you might try to get someone else to look it over. I can't help, of course, for obvious reasons.
Third, there's actually no reason to single out this addon anyway, because *all* extensions have the security privileges to access users' passwords and send them off to wherever. Certainly it would be easier to commit identity theft through a more innocent-sounding extension than this. Think about that next time you install some tab-related extension. At least using AMO hosted addons affords some protection due to the review process.
So to answer your questions, AMO editors are stopping people stealing passwords, at least to an extent and for Public versions; and I probably deserve about the same trust as any other extension developer here, however much or little that might be.
* No, I'm not actually advising anyone to submit spyware or otherwise violate the TOS. It's merely rhetorical.
To create your own collections, you must have a Mozilla Add-ons account.