Closed Bug 655031 Opened 15 years ago Closed 15 years ago

Firefox can be used as Keylogger to Steal your passwords by easily modifying omni.jar file!!

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: rpagarwal2, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 it is possible to force Firefox to always auto save password without showing the notification bar by extracting the omni.jar file & editing the nsLoginManagerPrompter.js. This can be abused especially in cybercafe because the user’s password will be auto saved without even asking the user in the first place. Seems to act like a keylogger isn’t it? Please refer following link for further details:- For Firefox 4 http://www.raymond.cc/blog/archives/2011/04/26/edit-files-inside-firefox-4-omni-jar-to-auto-save-password/ For Firefox 3 http://www.raymond.cc/blog/archives/2009/11/05/hacking-firefox-to-always-auto-save-password-without-showing-notification-bar/ Reproducible: Always Steps to Reproduce: 1.Extract the omni.jar file from C:\Program Files\Mozilla Firefox with WinRAR or rename it to omni.zip. 2. Edit nsLoginManagerPrompter.js, Replace the entire line 642 to 711 with the code var pwmgr = this._pwmgr; pwmgr.addLogin(aLogin); 3. ZIP it back again and copy to Firefox folder 4. Now whenever somebody login to any website, Firefox will auto save the site, username and password to the login manager WITHOUT showing the notification bar. Actual Results: Firefox converted into keylogger to steal the users passwords. Expected Results: Firefox converted into keylogger
It's true that Firefox is slightly easier to modify in place than many other typical "trusted" applications. But if someone is able to modify omni.jar in Firefox, they could also replace firefox.exe entirely, so use making Firefox harder to modify in place wouldn't significantly help protect anyone.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Dear Gavin, Many Antivirus may detect the any unauthorized change in Firefox.exe & will warn/block usage of such modified firefox.exe as "firefox.exe" file is always protected by 'digital signature' (Digital Identity Protection) but that won't be possible with omni.jar file. Hence it is important to tighten the security of omni.jar file further as Mozilla already did this up to certain extend in firefox4 with respect to firefox 3 by encrypting it to prevent any modification. Please reconsider your decision in this regards. Thanks.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
There are *many* files in many programs which, if modified, could cause problems. This is just one. App-level defense against this kind of attack is not reasonable or feasible.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.