Able to access stored password from browser and decrypt them.
Categories
(Toolkit :: Password Manager, task)
Tracking
()
People
(Reporter: wilhelm_hegel, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
It was discovered when I was trying to figure out how the security of the browser worked.
You have to remove the saved files in the browser (C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\XXXXrelease) onto a usb. You can then have an unrelated broswer on a completly different computer emulate itself as the first one and decrypt the stored passwords.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 1•2 years ago
|
||
This is well-known property of the current implementation so I don't think it needs to be hidden as a sec bug. Right now, if you don't want this to be possible, set a primary password (in which case you'd need the primary password in order to decrypt the passwords, on both machines). In the future we might look at using OS-provided crypto stores to tie the passwords to the local user account, but that would need some UX work for when users e.g. migrate machines.
Comment 3•2 years ago
|
||
Thanks for the report, but this is how browser is supposed to work. You can use Primary Password to add an extra layer of protection.
Updated•2 years ago
|
Updated•6 months ago
|
Description
•