There is a tool avalibe that "decrypts" information stored in the Password Manager (local) !!!




13 years ago
10 years ago


(Reporter: firealwaysworks, Unassigned)


Firefox Tracking Flags

(Not tracked)





13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/

This is a local security flaw in Firefox's storage of passwords. Within seconds of running the exploit code all login information is provided. The attacker must be able to execute code on the machine; such as your every day SPYWARE/BOTNET infected windows machine. With this information they could login to web applications you use (such as Gmail!!) and take what they need.  

The security researcher that goes by the Handel "Aphex" his site can be found:

The following link contains a compressed archive containing an executable and the corresponding source code to demonstrate the security flaw in Firefox: 

Good Luck,

Reproducible: Always

Steps to Reproduce: this:
2. Run under a windows system (I'm useing xp).

Actual Results:  
Finds my passwords,  almost instantly. 

Expected Results:  
To not disclose my passwords.

The OpenSSL libraries are included in Firefox,  this library can store encrypted information in a file. The password file should not be this insecure.  I understand the problems with local security.  The most disturbing issue here is that it takes seconds to crack and a child could do it. No expensive rainbow hash tables or brute forcing is required.

Comment 1

13 years ago
Of course it's possible to decrypt passwords if you don't have a master password. If Firefox encrypted them, it would have to have the key lying around somewhere in order to send the passwords to web sites when needed.  (In fact, I think that's what it does by default.)

Please reopen if I'm misunderstanding and this tool can decrypt a password file in a master-passworded profile without having the master password.
Last Resolved: 13 years ago
Resolution: --- → INVALID


10 years ago
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.