Closed Bug 1800800 Opened 2 years ago Closed 1 year ago

Able to access stored password from browser and decrypt them.

Categories

(Toolkit :: Password Manager, task)

Product:
Toolkit
Component:
Password Manager
Type:
task

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: wilhelm_hegel, Unassigned)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?])

It was discovered when I was trying to figure out how the security of the browser worked.

You have to remove the saved files in the browser (C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\XXXXrelease) onto a usb. You can then have an unrelated broswer on a completly different computer emulate itself as the first one and decrypt the stored passwords.

Flags: sec-bounty?
Group: websites-security → firefox-core-security
Component: Other → Password Manager
Product: Websites → Toolkit
Flags: needinfo?(dveditz)

This is well-known property of the current implementation so I don't think it needs to be hidden as a sec bug. Right now, if you don't want this to be possible, set a primary password (in which case you'd need the primary password in order to decrypt the passwords, on both machines). In the future we might look at using OS-provided crypto stores to tie the passwords to the local user account, but that would need some UX work for when users e.g. migrate machines.

Group: firefox-core-security

Thanks for the report, but this is how browser is supposed to work. You can use Primary Password to add an extra layer of protection.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.