Memory dump of Firefox reveals sensitive information, including authentication credentials

RESOLVED WONTFIX

Status

()

Firefox
Security
--
critical
RESOLVED WONTFIX
13 years ago
2 years ago

People

(Reporter: Paul Kurczaba, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Mozilla Firefox stores sensitive data, such as usernames and passwords, in clear
text in memory. By performing a memory dump of firefox.exe, it is possible to
gather the sensitive information.

This vulnerability would be most likely exploited in the following situations:

1. An environment in which multiple people share a Windows XP computer with
"Fast User Switching" enabled.

Example:
User "A" logs into Windows, and starts firefox. He then logs into a website.
Later, leaving Firefox running, he clicks on "Start", "Log Off", then "Switch User".

User "B" logs into Windows, and opens Task Manager. He locates the Process ID
(PID) associated with users "A" firefox.exe. By running PMDump(1), user "B" can
dump the memory of users "A" firefox.exe to a file. He can then open the file in
a text editor (such as WordPad), and would be able to locate the authentication
credentials that user A used to sign into the website.

2. An environment in which multiple people connect to a PC running Terminal
Services/Remote Desktop Connection, in which Mozilla Firefox is installed. The
process of gathering the sensitive data would be the same way used in the above
Example 1; by using PMDump(1).

(1) http://ntsecurity.nu/toolbox/pmdump/

Reproducible: Always

Steps to Reproduce:
The steps to reproduce are described in the "Details" section of this bug report.

Actual Results:  
I was able to retrieve authentication credentials from the memory dump of Firefox.

Expected Results:  
The software should encode/encrypt/disguise sensitive data (such as usernames
and passwords used in HTTP authentication).

A full report is available here:
http://www.kurczaba.com/html/security/unpublished/Mozilla_Firefox_Sensitive_Data_Disclosure.htm
If someone has the rights to see your process memory, can't they probably also
install a keylogger on the machine?
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
And if you encrypt the data, isn't the person also able to access the in-memory
copy of the decryption key?

If the OS doesn't enforce proper separation, we can't fix the problem at the
application level. Anything we tried would be snake oil.

I presume you are reporting the same "issue" against every other browser in
existence?

Gerv
(In reply to comment #2)
> And if you encrypt the data, isn't the person also able to access the in-memory
> copy of the decryption key?

If NSS was set to ask each time it was needed the key wouldn't necessarily be
around. The data itself is going to be in random heap allocated spots,
scrambling it a little would actually help protect against unsophisticated
snooping (e.g. the sort that might be done by someone who thought it was a good
idea running a multi-user box with admin privileges for everyone).

Updated

13 years ago
Group: security
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WONTFIX
Summary: It is possible to retrieve sensitive information from Mozilla Firefox, including authentication credentials → Memory dump of Firefox reveals sensitive information, including authentication credentials

Comment 4

13 years ago
See also bug 286703, "Password found in core file".

Comment 5

13 years ago
*** Bug 286703 has been marked as a duplicate of this bug. ***
Duplicate of this bug: 353122

Updated

7 years ago
Duplicate of this bug: 667352
Duplicate of this bug: 786159

Updated

2 years ago
Duplicate of this bug: 1287372
You need to log in before you can comment on or make changes to this bug.