Status

()

Firefox
Security
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Patchy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Maybe not a bug with the software but thought you might be interested in this link... http://thepiratebay.org/torrent/5040248/FireFox.PassWord.SteaLer.-DEMaND
A quote from the description says "Hello, I am just starting coding in C++ so I decided to make this to practice. This Firefox Stealer finds the Firefox passwords in the computer, decodes them and uploads them to an FTP server
"
Sorry I haven't downloaded and tried the application (not my thing) but if it does what it claims there may be cause to beef up the password security.

Reproducible: Always

Comment 1

9 years ago
Firefox stealers require the application (Stealer) to be on the end-users computer for it to work.

Windows passwords are stored in the SAM file and Linux passwords in the etc/passwd (Now etc/shadow I think) and these are both easily crackable (Length dependant)

Firefox has to store passwords some way, and since it cannot use 1-way encryption (It actually has to recover the passwords), and partially due to the fact Firefox is Open-Source, finding the passwords using an external program is rather simple.

Now, if the person was able to do that remotely, now THAT would be a problem :)
Why is this surprising for you if you run such software under your useraccount. This software can do everything that your Account permitts. If you run under a windows Administrator Account the software could install a keylogger to get passwords.
Setting a masterpassword helps to protect the Firefox passowrd file if you use a good password.
marking invalid, no security risk
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.