User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20060111 Firefox/184.108.40.206 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060111 Firefox/18.104.22.168 This is a local security flaw in Firefox's storage of passwords. Within seconds of running the exploit code all login information is provided. The attacker must be able to execute code on the machine; such as your every day SPYWARE/BOTNET infected windows machine. With this information they could login to web applications you use (such as Gmail!!) and take what they need. The security researcher that goes by the Handel "Aphex" his site can be found: http://www.iamaphex.cjb.net/ The following link contains a compressed archive containing an executable and the corresponding source code to demonstrate the security flaw in Firefox: http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip Good Luck, --Mike Reproducible: Always Steps to Reproduce: 1.download this: http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip 2. Run under a windows system (I'm useing xp). Actual Results: Finds my passwords, almost instantly. Expected Results: To not disclose my passwords. The OpenSSL libraries are included in Firefox, this library can store encrypted information in a file. The password file should not be this insecure. I understand the problems with local security. The most disturbing issue here is that it takes seconds to crack and a child could do it. No expensive rainbow hash tables or brute forcing is required.
Of course it's possible to decrypt passwords if you don't have a master password. If Firefox encrypted them, it would have to have the key lying around somewhere in order to send the passwords to web sites when needed. (In fact, I think that's what it does by default.) Please reopen if I'm misunderstanding and this tool can decrypt a password file in a master-passworded profile without having the master password.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.