Firefox Extensions

Overview

Evidence: Firefox Extensions
Description: Collect Firefox Extensions (Addons)
Category: Applications
Platform: macos
Short Name: fext
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Firefox extensions (add-ons) enhance browser functionality but can pose significant security risks. Malicious extensions can steal credentials, inject ads, track browsing activity, exfiltrate data, and modify web content. Understanding installed extensions is crucial for detecting browser-based attacks and unauthorized access.

Data Collected

This collector gathers structured data about firefox extensions.

Firefox Extensions Data

Field	Description	Example
`ExtensionID`	Extension ID	Example value
`SyncGUID`	Sync GUID	Example value
`Version`	Version	Example value
`Username`	Username	Example value
`Type`	Type	Example value
`Name`	Name	Example value
`Description`	Description	Example value
`Visible`	Visible	true
`Active`	Active	true
`UserDisabled`	User Disabled	true
`AppDisabled`	App Disabled	true
`Path`	Path	Example value
`DefaultLocale`	Default Locale	Example value
`Hidden`	Hidden	true
`InstallTelemetryInfo`	Install Telemetry Info	Example value
`Location`	Location	Example value
`ManifestVersion`	Manifest Version	123
`OptionsURL`	Options URL	Example value
`OptionsType`	Options Type	123
`SourceURI`	Source URI	Example value
`SignedState`	Signed State	123
`Incognito`	Incognito	Example value
`UserPermissions`	User Permissions	Example value
`OptionalPermissions`	Optional Permissions	Example value
`InstallDate`	Install Date	2023-10-15 14:30:25+03:00
`UpdateDate`	Update Date	2023-10-15 14:30:25+03:00
`SignedDate`	Signed Date	2023-10-15 14:30:25+03:00

Collection Method

This collector parses Firefox extensions.json and addons.json files from user profiles to extract installed extension information including names, IDs, versions, descriptions, permissions, and installation sources.

Forensic Value

Firefox extension data provides insight into potential compromise vectors and data exfiltration paths. Malicious or suspicious extensions may indicate phishing attacks, credential theft, adware infections, or privacy violations. This evidence helps identify attack entry points, persistence mechanisms, and unauthorized browser modifications.