I use the built-in sync service in various Firefox forks to sync bookmarks/history/tabs, using the default Mozilla servers.
When I went to “Manage Account” to review and prune the devices (“services?”) linked with Mozilla Sync down to what I’m actively using currently, and noticed “Mozilla Monitor” in there.
I can’t find any info on why Mozilla Monitor required sync credentials, and I don’t remember Mozilla Monitor telling me it would be gaining access to my sync data, nor can I find any way to review what data “Mozilla Monitor” has access to.
Any ideas?
For now I’m signing out that entry, while I consider other sync options.
Ok, it’s beginning to look like bad UI design on accounts.firefox.com:
If I click sign in at monitor.mozilla.org, it redirects me to an oauth process hosted on accounts.firefox.com which prompts me for my password then sends me back to monitor.mozilla.org.
The settings page at accounts.firefox.com then lists Mozilla Monitor under “Connected Services - Everything you are using and signed into” along with all my browser/device instances. But it doesn’t disappear when signed out from monitor.mozilla.org in the same way that a browser instance disappears when signed out from sync browser-side.I’m supposing that list does not indicate what has access to sync data, which as far as I understood uses its own strong private keys browser-side which are never shared with the servers.
Monitor monitors the Web for leaked credentials you have in Firefox’s password manager. That’s what it’s for. I think it’s quite clear why it would access your sync data
I’ve seen no documentation that Mozilla Monitor works by accessing one’s sync data.
The interface suggests that it only monitors email addresses manually added on monitor.mozilla.org’s UI.
It‘s also worth mentioning that Monitor anonymizes your data before checking it for breaches.
So there shouldn‘t be any serious privacy issues.
Yes, I was aware of that at the time, and I probably assumed that my browser would be hashing each piece of data (e.g. each email address or username) before sending it to Mozilla Monitor or haveibeenpwned.
What concerns me is Mozilla Monitor appearing in the list of devices/browsers synced, each of which is implied to have cleartext access to all the data I decide to sync (bookmarks/history/tabs in my case, logins+passwords and more for many other people).