Firefox
Firefox Extensions
Overview
Firefox stores extension (add-on) metadata in extensions.json, a JSON file within each profile directory. This file contains detailed information about every installed extension, theme, language pack, and dictionary, including version, permissions, installation source, active/disabled status, signature verification state, and blocklist status.
Extensions are forensically significant because they reveal user behaviour patterns, privacy tool usage, potential malware vectors, and browser capability modifications. A privacy-focused extension set (VPN, ad blocker, tracker blocker) suggests a security-conscious user, while unsigned or sideloaded extensions may indicate compromise.
File Locations
| File | Path | Description |
|---|---|---|
| Extension metadata | ~/Library/Application Support/Firefox/Profiles/{profile}/extensions.json | Complete extension registry |
| Installed extensions | ~/Library/Application Support/Firefox/Profiles/{profile}/extensions/ | XPI files and extracted extensions |
| Extension storage | ~/Library/Application Support/Firefox/Profiles/{profile}/storage/default/ | Per-extension data |
| Browser ext data | ~/Library/Application Support/Firefox/Profiles/{profile}/browser-extension-data/ | WebExtension storage |
File Format
extensions.json Structure
{
"schemaVersion": 35,
"addons": [
{
"id": "uBlock0@raymondhill.net",
"name": "uBlock Origin",
"version": "1.54.0",
"type": "extension",
"description": "An efficient blocker...",
"creator": "Raymond Hill",
"homepageURL": "https://github.com/gorhill/uBlock",
"active": true,
"userDisabled": false,
"appDisabled": false,
"softDisabled": false,
"blocklistState": 0,
"installDate": 1710504000000,
"updateDate": 1704873600000,
"sourceURI": "https://addons.mozilla.org/firefox/downloads/file/...",
"location": "app-profile",
"visible": true,
"signedState": 2,
"incognito": "spanning",
"permissions": {
"permissions": ["dns", "menus", "privacy", "storage", "tabs",
"webNavigation", "webRequest", "webRequestBlocking"],
"origins": ["http://*/*", "https://*/*"]
}
}
]
}
Key Fields for Analysis
| Field | Forensic Significance |
|---|---|
id | Unique extension identifier (e.g., uBlock0@raymondhill.net) |
name | Human-readable extension name |
version | Installed version |
type | Add-on type: extension, theme, locale, dictionary, plugin |
active | Whether the extension is currently running |
userDisabled | User manually disabled the extension |
appDisabled | Firefox disabled the extension (compatibility, policy) |
blocklistState | Mozilla blocklist status |
installDate | When the extension was installed (Unix milliseconds) |
updateDate | When the extension was last updated (Unix milliseconds) |
sourceURI | Download URL -- reveals AMO, sideloading, or enterprise deployment |
location | Installation location (profile, system, built-in) |
signedState | Signature verification state |
permissions | API and host permissions requested |
Extension Types
| Type | Description |
|---|---|
extension | Standard browser extension (WebExtension) |
theme | Visual theme/skin |
locale | Language pack |
dictionary | Spell-check dictionary |
plugin | Legacy NPAPI plugin (rare in modern Firefox) |
Installation Locations
| Location | Description | Forensic Meaning |
|---|---|---|
app-profile | User profile | Normal user installation from AMO or sideload |
app-system-defaults | System defaults | Pre-installed by system administrator |
app-builtin | Built into Firefox | Ships with Firefox (e.g., built-in themes) |
app-system-share | System shared | Installed system-wide for all users |
app-system-local | System local | Local system installation |
app-system-addons | System add-ons | Mozilla system add-ons |
app-temporary | Temporary install | Developer sideloading via about:debugging |
Signed State Values
| Value | Meaning | Forensic Significance |
|---|---|---|
| -1 | Signing not required | Development or enterprise environment |
| 0 | Not signed | Potentially suspicious -- unsigned extensions cannot be installed in release Firefox without override |
| 1 | Preliminary review | AMO preliminary review only |
| 2 | Signed | Full AMO signature verification |
| 3 | System add-on | Mozilla system add-on signature |
| 4 | Privileged | Mozilla privileged add-on |
Blocklist State Values
| Value | Meaning |
|---|---|
| 0 | Not blocked |
| 1 | Soft blocked (user warned) |
| 2 | Hard blocked (forcefully disabled) |
| 3 | Soft blocked (disabled with option to re-enable) |
Timestamps
Extension timestamps use Unix milliseconds (milliseconds since 1970-01-01 UTC).
installDate = 1710504000000
Unix seconds = 1710504000000 / 1000 = 1710504000
Result = 2024-03-15T12:00:00Z
Analysis Notes
Risky Permission Detection
The macfor collector flags extensions with permissions that grant broad access or sensitive capabilities. The following permissions are flagged:
| Permission | Risk |
|---|---|
nativeMessaging | Can communicate with native applications outside the browser |
webRequest | Can intercept and observe all network requests |
webRequestBlocking | Can intercept, modify, and block network requests |
<all_urls> | Full access to all websites |
clipboardRead | Can read clipboard contents |
downloads / downloads.open | Can manage and open downloaded files |
management | Can manage other extensions |
privacy | Can modify privacy settings |
proxy | Can control proxy settings |
cookies | Can access browser cookies |
history | Can access browsing history |
bookmarks | Can access bookmarks |
browsingData | Can clear browsing data |
tabs | Can access browser tab information |
dns | Can resolve DNS queries |
Broad host permissions are also flagged:
| Pattern | Risk |
|---|---|
*://*/* | Full access to all websites via wildcard |
http://*/* or https://*/* | Full access to all HTTP/HTTPS sites |
file:///* | Access to local files |
Source URI Analysis
The sourceURI field reveals where the extension was installed from:
- AMO (addons.mozilla.org): Standard installation from Mozilla's curated store.
- Direct URL download: Sideloaded from a third-party source.
- Empty or null: Built-in or enterprise-deployed extension.
- file:// URI: Locally installed from disk (developer or testing).
Identifying Suspicious Extensions
Red flags to investigate:
- Unsigned extensions (
signedState = 0): Cannot normally be installed in release Firefox. - Blocked extensions (
blocklistState > 0): Mozilla identified the extension as harmful. - Extensions with
nativeMessaging: Can execute arbitrary local programs. app-temporarylocation: Developer sideloading, potential malware testing.- Extensions requesting
<all_urls>+webRequestBlocking: Can intercept all traffic. - Unknown source URIs: Not from AMO.
- Very recent install dates combined with broad permissions.
Incognito/Private Browsing Mode
The incognito field indicates how the extension behaves in private browsing:
| Value | Meaning |
|---|---|
spanning | Extension runs in private windows with shared state |
split | Extension runs in private windows with separate state |
not_allowed | Extension does not run in private windows |
An extension allowed in private browsing can observe activity the user intended to be ephemeral.
Useful Analysis Steps
- List all active extensions with permissions: Focus on
active: trueextensions and their requested permissions. - Check for privacy/security tools: uBlock Origin, Privacy Badger, HTTPS Everywhere, VPN extensions indicate security awareness.
- Check for development tools: Indicates a technical user (e.g., React DevTools, Redux DevTools).
- Cross-reference blocked extensions: Any extension with
blocklistState > 0was identified as harmful by Mozilla. - Timeline of installations: Sort by
installDateto see when the user's extension set evolved.
Version Differences
| Version | Change |
|---|---|
| Firefox 57 (Quantum) | Legacy XUL/XPCOM extensions no longer supported. Only WebExtensions. |
| Firefox 74+ | Extensions can request permissions dynamically at runtime |
| Firefox 109+ | Manifest V3 support alongside V2 |
Since Firefox 57, all extensions must use the WebExtensions API. The extensions.json format has been stable across supported versions.
Tool Support
| Tool | Capability |
|---|---|
| macfor | Full extension parsing with risky permission detection, source analysis, and signed state classification (Pro module) |
| AXIOM | Automated Firefox extension extraction |
| Autopsy | Extension enumeration via Firefox module |
| Manual JSON inspection | extensions.json is human-readable JSON |