User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Mozilla Firefox stores sensitive data, such as usernames and passwords, in clear text in memory. By performing a memory dump of firefox.exe, it is possible to gather the sensitive information. This vulnerability would be most likely exploited in the following situations: 1. An environment in which multiple people share a Windows XP computer with "Fast User Switching" enabled. Example: User "A" logs into Windows, and starts firefox. He then logs into a website. Later, leaving Firefox running, he clicks on "Start", "Log Off", then "Switch User". User "B" logs into Windows, and opens Task Manager. He locates the Process ID (PID) associated with users "A" firefox.exe. By running PMDump(1), user "B" can dump the memory of users "A" firefox.exe to a file. He can then open the file in a text editor (such as WordPad), and would be able to locate the authentication credentials that user A used to sign into the website. 2. An environment in which multiple people connect to a PC running Terminal Services/Remote Desktop Connection, in which Mozilla Firefox is installed. The process of gathering the sensitive data would be the same way used in the above Example 1; by using PMDump(1). (1) http://ntsecurity.nu/toolbox/pmdump/ Reproducible: Always Steps to Reproduce: The steps to reproduce are described in the "Details" section of this bug report. Actual Results: I was able to retrieve authentication credentials from the memory dump of Firefox. Expected Results: The software should encode/encrypt/disguise sensitive data (such as usernames and passwords used in HTTP authentication). A full report is available here: http://www.kurczaba.com/html/security/unpublished/Mozilla_Firefox_Sensitive_Data_Disclosure.htm
If someone has the rights to see your process memory, can't they probably also install a keylogger on the machine?
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
And if you encrypt the data, isn't the person also able to access the in-memory copy of the decryption key? If the OS doesn't enforce proper separation, we can't fix the problem at the application level. Anything we tried would be snake oil. I presume you are reporting the same "issue" against every other browser in existence? Gerv
(In reply to comment #2) > And if you encrypt the data, isn't the person also able to access the in-memory > copy of the decryption key? If NSS was set to ask each time it was needed the key wouldn't necessarily be around. The data itself is going to be in random heap allocated spots, scrambling it a little would actually help protect against unsophisticated snooping (e.g. the sort that might be done by someone who thought it was a good idea running a multi-user box with admin privileges for everyone).
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WONTFIX
Summary: It is possible to retrieve sensitive information from Mozilla Firefox, including authentication credentials → Memory dump of Firefox reveals sensitive information, including authentication credentials
See also bug 286703, "Password found in core file".
*** Bug 286703 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.