Closed Bug 479255 Opened 17 years ago Closed 17 years ago

Free program that reads all Firefox passwords

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: dantemp071117, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 Did you know that the freeware program System Information For Windows (http://www.gtopala.com/), if you click on "secrets," will display all your saved Firefox logins and passwords in plain text? Seems like there is a major security hole there somewhere. The program is "stand-alone," requiring no installation, and will run off thumb drives. If this program can do it, I am sure there are others. Dan Zabriskie dantemp071117@xemaps.com Reproducible: Always Steps to Reproduce: 1. Download wis.exe from the site http://www.gtopala.com/ 2. Execute that file 3. Select "Software" from the upper toolbar. 4. From the drop down menu, select "Secrets," the last option. Actual Results: Lists a variety of passwords, including all saved Firefox logins and passwords, Outlook Express email account logins and passwords,and autocomplete passwords.
Yes, software on your computer can read data on your computer. We don't encrypt saved passwords by default. We *can* encrypt them using a master password; see the Preferences -> Security options. I believe that this encryption is fairly secure, but cc'ing dolske for confirmation and to make sure this is INVALID and can be un-hidden.
We don't do enough to let people know passwords are stored insecurely by default and that the "master password" option is available. Old Netscape/Suite versions used to prompt people with a big explanatory prompt the first time a password was saved, which was both ugly and also ineffective if the person primarily using the browser was different from the person who set it up. Maybe we could put an icon on the password-save infobar as a reminder/status-indicator, with a mouseover saying whether passwords are secure or not and a click that opens up the master-password pane in the pref dialog. With a complete lack of imagination I suggest an open or closed lock, though people might confuse that with SSL indicia so maybe a key vs. a key-in-a-slashed-circle. This does not need to be security-sensitive. This has been reported many times before, there are public programs to read the data, and letting more people know will help them know they have to protect themselves.
Group: core-security
Not a bug, INVALID. Setting a master password can help in this particular case, but other malware could still get around it (eg, keysniffer, packet logging, etc). Other bugs for OS keyring/keychain integration will also help in some cases.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.