Closed Bug 1848724 Opened 2 years ago Closed 2 years ago

Intruder can easily guess passwords or find out which accounts use the same password

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1634906

People

(Reporter: justin.juska, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Screen Recording 2023-08-15 at 00.15.20-compressed.mp4
6.69 MB, video/mp4
Details

I’ve started to use Firefox password manager for all my password management needs lately. There are more than 200 password stored in my Firefox browser. I was searching for particular accounts and it started to give me weird results from time to time. Since passwords are generated it was not straightforward to connect the dots on what was happening specifically.

Today I had to create few simple accounts that contained simple account names and ordinary passwords. Some of them matched account names with passwords, some were the opposites. Once it started to give me results it occurred what was going on!

I’ve tried to enter password of accounts that have secure passwords (naturally/generated) and it gave which accounts were using that password. Shockingly, the same happens even if Primary Password is used which is said to help encrypt all passwords and increase security posture.

Using Primary Password should be the gate that decrypts password on the fly if it needs to be accessed instead storing it in-memory.

It crossed my mind of potential attack vectors. Will mention some here but it’s very likely not limited to this list:

• Someone with access to computer can open Firefox and can easily guess passwords by following the correct tail. Much easier than brute force, especially if password is not generated. If password is with context intruder can guess passwords quickly by having enough information about the user from social engineering
• If intruder knows single password, he can enter it and get a list of accounts where the same password is used as well

Same steps could be replicated with all newest Firefox browser versions: Firefox, Firefox Developer Edition, Firefox Nightly

In my eyes it is serious vulnerability which can be easily exploited if it is disclosed publicly since it’s execution is simple once there is public awareness.

Affected:

Firefox: 116.0.2 (64-bit)
Firefox Developer Edition: 117.0b7 (64-bit
Firefox Nightly: 118.0a1 (2023-08-14) (64-bit)

Flags: sec-bounty?
Component: Security → about:logins

I've added my PGP public key to decrypt emails sent from bugzilla now. Would like to request to re-send email that I'll be able to read.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1765473
Resolution: --- → DUPLICATE
Group: firefox-core-security
Duplicate of bug: 1634906
No longer duplicate of bug: 1765473
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: