@This2ShallPass @themachinestops As an extension developper on Mozilla’s store, yes it’s definitely possible. There’s some automatic review process but what you state in your implicit data consent disclosure (that’s how they call it) is up to the developer.

However, the extension can’t access all websites unless you specifically allow it while installing. There’s an “All websites” permission, so if it’s that or if it includes some kind of sketchy site then it’s a bad sign.

Finally, just like any web page, you can always inspect an extension and check the network requests to see if it’s doing malicious stuff. If so, then you can report it.

But since mozilla accounts are free and only require a verified email, they could just create another one. It’s an endless game of whack-a-mole!

Since some extensions are “mozilla-approved”, I guess they test it regularly, it wouldn’t be hard to verify if one is really sending anything despite their disclosure.