1236695 - FireFox API Hooking and information Disclosing

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[lahlou]

Attachment: 2016-01-04_182644.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Build ID: 20151103235259

Steps to reproduce:

Firefox Version : 43
OS : Windows 7 32 bit

Hello guys as your Know your Browser uses a function called PR_Write inside a dll module called nss3.dll to write/submit data and client information PASSWORD/EMAIL/...

So once the target enters his username and password and click on login button the fireforx process will call PR_Write function from nss3.dll module, if we setup a break point at that function
we should see the data in clear text.

You can see the POC , actually There is a to Method To get the personal information for the users with converting my script to .exe and Targeting People remotely so in the video you will se Just the DEMO in my Machine .

POC VIDEO : https://youtu.be/otKJwJbT7ao 
Sceen shot of the ollydbg : http://www.3rbz.com/uploads/8cef4d852f9c1.png

Hope you valid the bug guys with making this sensitive info as a crypted content not a plain text .
you can answer me in my gmail : lahlousecom@gmail.com 


Actual results:


So once the target enters his user name and password and click on login button the Firefox process will call PR_Write function from nss3.dll module, if we setup a break point at that function we should see the data in clear text.


Expected results:

Getting sensitive information about login and passwords

Comment 1

[Benjamin Smedberg]

This is not a security issue or even a bug. Of course Firefox internal functions have access to this data. A binary debugger can extract this information; that is expected and normal.

Comment 2

[lahlou]

you stored the sensitives data in the browser memory , you think this is not a bug ?

Comment 3

[Benjamin Smedberg]

Correct.