Closed Bug 326602 Opened 19 years ago Closed 19 years ago

There is a tool avalibe that "decrypts" information stored in the Password Manager (local) !!!

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: firealwaysworks, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

This is a local security flaw in Firefox's storage of passwords. Within seconds of running the exploit code all login information is provided. The attacker must be able to execute code on the machine; such as your every day SPYWARE/BOTNET infected windows machine. With this information they could login to web applications you use (such as Gmail!!) and take what they need.  

The security researcher that goes by the Handel "Aphex" his site can be found:
http://www.iamaphex.cjb.net/

The following link contains a compressed archive containing an executable and the corresponding source code to demonstrate the security flaw in Firefox:
http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip 

Good Luck,
--Mike

Reproducible: Always

Steps to Reproduce:
1.download this: http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip
2. Run under a windows system (I'm useing xp).

Actual Results:  
Finds my passwords,  almost instantly. 

Expected Results:  
To not disclose my passwords.

The OpenSSL libraries are included in Firefox,  this library can store encrypted information in a file. The password file should not be this insecure.  I understand the problems with local security.  The most disturbing issue here is that it takes seconds to crack and a child could do it. No expensive rainbow hash tables or brute forcing is required.
Of course it's possible to decrypt passwords if you don't have a master password. If Firefox encrypted them, it would have to have the key lying around somewhere in order to send the passwords to web sites when needed.  (In fact, I think that's what it does by default.)

Please reopen if I'm misunderstanding and this tool can decrypt a password file in a master-passworded profile without having the master password.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.