Closed
Bug 1859762
Opened 1 year ago
Closed 1 year ago
"Logins & Passwords" tab. "Search Login" input allows you to search using a remembered password and bypasses primary password protection.
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
RESOLVED
DUPLICATE
of bug 1634906
People
(Reporter: michalkosik02, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
1.27 MB,
video/mp4
|
Details |
"Logins & Passwords" tab. "Search Login" input allows you to search using a remembered password and bypasses master password protection. This, of course, allows for a very easy and quick brute-force attack.
Theoretically, to get to the "Logins and passwords" tab, I need to know the master password. I will now present a simple scenario where this could be dangerous anyway.
- I turn on Mozilla Firefox. I am asked immediately for the master password. I enter this password.
- After a while, I have to go somewhere, but I leave my computer and browser on.
- The intruder takes this opportunity to see my website passwords. So he goes to the "Logins & Passwords" tab. He is not asked for the master password because I entered it at the beginning of opening Firefox. At this point he can click on any website and click the "Show password" (eye icon) or just copy it button. Firefox doesn't allow him to do this because a window pops up asking him to enter the master password.
- The intruder knows how to bypass this protection. All he needs to do is enter a potential password or just a letter or letters in the "Search Logins" field. This is because this input looks not only for the login but also for the password. (Is it supposed to work like this?). In addition, he is not asked for the master password. This bug allows an unauthorized person to gain access to a user's stored passwords by guessing them. Of course, a smarter intruder will write some brute-force script. It will be very fast because we are not limited in any way in our search. There is no limit on requests and everything is displayed immediately.
In my opinion, you should be able to search there only for the login, without the password. Or just be asked for your master password to do it.
To demonstrate this better, I will try to record a video and attach it.
System: Windows 10
Firefox: Version 118.0.2 (64-bit)
Flags: sec-bounty?
|
||
Updated•1 year ago
|
Component: Security → Password Manager
Keywords: dupeme
Product: Firefox → Toolkit
Summary: "Logins & Passwords" tab. "Search Login" input allows you to search using a remembered password and bypasses master password protection. → "Logins & Passwords" tab. "Search Login" input allows you to search using a remembered password and bypasses primary password protection.
|
||
Updated•1 year ago
|
Group: firefox-core-security
|
||
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1634906
Resolution: --- → DUPLICATE
|
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•10 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•