There is a tool avalibe that "decrypts" information stored in the Password Manager (local) !!!

RESOLVED INVALID

Status

()

--
major
RESOLVED INVALID
13 years ago
10 years ago

People

(Reporter: firealwaysworks, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

This is a local security flaw in Firefox's storage of passwords. Within seconds of running the exploit code all login information is provided. The attacker must be able to execute code on the machine; such as your every day SPYWARE/BOTNET infected windows machine. With this information they could login to web applications you use (such as Gmail!!) and take what they need.  

The security researcher that goes by the Handel "Aphex" his site can be found:
http://www.iamaphex.cjb.net/

The following link contains a compressed archive containing an executable and the corresponding source code to demonstrate the security flaw in Firefox:
http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip 

Good Luck,
--Mike

Reproducible: Always

Steps to Reproduce:
1.download this: http://iamaphex.net/downloads/FirefoxPasswordDecrypter.zip
2. Run under a windows system (I'm useing xp).

Actual Results:  
Finds my passwords,  almost instantly. 

Expected Results:  
To not disclose my passwords.

The OpenSSL libraries are included in Firefox,  this library can store encrypted information in a file. The password file should not be this insecure.  I understand the problems with local security.  The most disturbing issue here is that it takes seconds to crack and a child could do it. No expensive rainbow hash tables or brute forcing is required.

Comment 1

13 years ago
Of course it's possible to decrypt passwords if you don't have a master password. If Firefox encrypted them, it would have to have the key lying around somewhere in order to send the passwords to web sites when needed.  (In fact, I think that's what it does by default.)

Please reopen if I'm misunderstanding and this tool can decrypt a password file in a master-passworded profile without having the master password.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
(Assignee)

Updated

10 years ago
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.