A security vulnerability in the password manager of Firefox




7 years ago
3 years ago


(Reporter: cyue, Unassigned)


11 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)




7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Build ID: 20120312181643

Steps to reproduce:

If the master password is not used by a user, the encrypted website passwords and usernames saved by Firefox's password manager can be completely decrypted by attackers if they can steal the signons.sqlite file and the key3.db file from a user's computer.  For example, copy the signons.sqlite file and the key3.db file of my Firefox from computer A to another computer B.

Actual results:

All the encrypted website passwords and usernames saved by Firefox's password manager on computer A can be completely decrypted on computer B.  Attackers can use attacks such as drive-by-download to steal these two files and obtain the passwords and usernames of those users who do not use a master password.

Expected results:

Using a master password should become mandatory for the password manager feature.  A better password manager should be designed for Firefox.  My Ph.D. student Rui Zhao and I (Chuan Yue) have designed and built a new password manager for Firefox, and we have submitted a research paper to a conference.  We can provide more information in case you are interested.  

This vulnerability is common to the password managers (latest as well as old versions) of all the five most popular Web browsers Internet Explorer, Firefox, 
Google Chrome, Safari, and Opera.  The nature of the attack is the vulnerability in the design of the current browser-based password managers.  Currently we are also communicating with other four browser vendors to provide our attack tools and source code against their password managers.  Microsoft researchers have forwarded our reported information to their IE and Security Response teams.

Thank you very much!

Chuan Yue
University of Colorado at Colorado Springs
Department of Computer Science
1420 Austin Bluffs Parkway
Colorado Springs, CO 80918

Comment 1

7 years ago
This bug seems to just be a core design choice in Firefox: if you get at the local files, of course you have the data. Unless there is a particular attack which allows websites to download these files either directly or by easily tricking users, I don't think this bug needs to remain private. I encourage you to write to the mozilla.dev.apps.firefox newsgroup if you have a more detailed proposal of how we could implement a more secure storage system for password data without overburdening users.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
QA Contact: untriaged → password.manager
This bug does not need to be hidden as this is known behavior
bug 91916 comment 5 shows this is intended by design behavior
Group: core-security

Comment 3

7 years ago
Benjamin, Curtis:

Thank you very much for your quick response.  Given the 
prevalence of browser-based attacks such as drive-by-download, 
we believe the design of future password managers should
make the master password mandatory.  We will provide
a more detailed proposal later.

Thanks a lot,
There is somewhere an older tool to extract the passwords - this is known.
A mandatory masterpassword would be a reason for me to switch the browser or using a third-party password manager tool. There is no much security gain with a masterpassword if an attacker has already full control over the system.
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 91916
You need to log in before you can comment on or make changes to this bug.