Closed Bug 305480 Opened 19 years ago Closed 19 years ago

step by step instructions how to steal passwords

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: primorec, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Welcome to Gravix's homebrew guide to stealing stored Firefox passwords!
You may be thinking at this point: "Why dont I just just go under
Tools>Options>Privacy>Passwords>Show passwords"?
Well… imagine if you wern't sitting in front of the computer (or you dont have
access to that user's firefox)! Then what? Exactly.

This guide is going to be the first of many guides to come.

Prep:
Access to a computer [remote/local] which has Firefox
Some way of file retrieval
Firefox on a computer you have access too.

Ok, now for the easy part, try to keep up please.

1) Copy the following files to a storage media:
Under C:\Documents and Settings\[User]\Application
Data\Mozilla\Firefox\Profiles\[Random].default\
signons.txt
key3.db
2) Move them to a place you have access too.
3) Now for the swap, open up the same folder on your computer (making sure you
fill in [User] with your username), and rename the existing signons.txt and
key3.db to something alternate (I usually just put a .bak or ~ at the end of them).
4) Paste the stolen files in their place.
5) Load up Firefox and open Tools>Options>Privacy>*expand Saved
Passwords*>*click View Saved Passwords*
6) Your probably wondering, "Ok… where are the passwords?". This is where I tell
you to click "Show Passwords"
7) Congrads! You now have a list of sites with their corresponding username and
password!

Important notes:
1) If you only take the signons.txt file and not the key3.db, then you wont be
able to view anything in the file.
2) If Firefox is running while you are taking the files, it will not work. It
will tell you they are "In use". Also make sure you dont have Firefox running
when you switch the files.
3) To restore your passwords, just delete/move the stolen files and rename your
backups.

I hope you all have enjoyed!

http://gdataonline.com/blog/

Reproducible: Couldn't Reproduce




I found tuis STEP-BY-STEP instructions by accident while browsing  the net
Already public (http://gdataonline.com/blog/?p=9), so no point keeping people
from seeing this bug report.

I don't think this is a security hole in Firefox.  How could Firefox store the
passwords on disk without letting anyone with access to Firefox's files read
them and without requiring the user to set and enter a password?
Group: security
Setting a master password stops this from happening.

My understanding is different. I think, nobody, including the real owner, should
 have access to his/her logins/passwords in clear text WITHOUT entering the
master password by default. In other words, firefox should ask for the master
password by default. If the master password is not set, FF should guide the user
to create one  when he/she tries to access the login/password list via "Show
Password" for the first time.
Having or not having the master password set, should not prevent the owner to
visit the sites automagically.
There should be some mechanism (algorithm ) in place which would prevent others
to  see the logins/passwords in clear text if the files signons.txt and key.3db
are copied to another PC with Firefox installed.
I do not know if this is achievable or not. I am not a security expert.
(In reply to comment #3)
> There should be some mechanism (algorithm ) in place which would prevent others
> to  see the logins/passwords in clear text if the files signons.txt and key.3db
> are copied to another PC with Firefox installed.
> I do not know if this is achievable or not. I am not a security expert.

What about when people buy new computers and migrate their settings?

If someone has full access to your computer, they could install WinVNC and use
that to open Firefox and take a screenshot of your passwords from the options
dialog. The solutions here are:

1. Set a master password.
2. Don't store your passwords.
This is by design and known.
Firefox makes it a little bit harder than Seamonkey where the passwords are only
base64 encoded (but that makes no real difference in security) 

The browser must send the passwords to the servers and can't use
one-way-encryption like the *nix Login passwords. 
That also means, that you can always read the passwords if you don't use a
masterpassword.

marking invalid and this discussion is not new. We have also AFAIK a security
warning about storing the passwords (?)
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: Password Manager → Security
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.