Developer reply by Daniel Dawson
Rated 3 out of 5 stars
The add-on itself is great and very useful, however I'm concerned about its integrity as a routine scan using a new anti-malware program (Reason Core) detected that it had the notorious 'Ramnit' trojan attached to it, and it deleted the whole add-on as a precaution. I don't know whether to risk downloading it again, I didn't save any passwords for financial or shopping sites but it's still a worry. I don't believe the developer had any foreknowledge or involvement in this but clearly someone managed to get it on there.
This review is for a previous version of the add-on (2.9.1-signed).Where exactly did you download Saved Password Editor? I just tried downloading from AMO (through the "Add to Firefox" button on the main listing page) and comparing to my build. The files are identical, so it's impossible for any malware to have been added there.
If you got the add-on through another site, please note that you should be wary of other sites, especially when the official distribution is here. If you downloaded from here, then it seems either your computer is already infected with something that is manipulating what you receive, or your anti-malware software gave you a false positive (quite possible depending on how it fingerprints malware).
I also would like to point out that you should not feel safe with other Firefox extensions just because their stated purpose doesn't involve handling your passwords. *All* extensions (i.e. add-ons that modify behavior) have full privileges to do anything Firefox itself can do (except for SDK add-ons that do not request such privilege). Having an add-on whose description says nothing about passwords be the one to steal them makes more sense, don't you think? However, the review performed by actual humans (the add-on reviewers) before add-ons are allowed to be publicly released is designed to prevent such a blatant violation.
There are still ways that malware can slip in, though. In the near future (planned for version 41; version 40 will have a preference allowing it to be disabled), Firefox is going to allow only extensions signed by Mozilla to be installed. See https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ and https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/ and https://wiki.mozilla.org/Addons/Extension_Signing for more info. That should significantly reduce such infections, among other things.
To create your own collections, you must have a Mozilla Add-ons account.