Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Mozilla Firefox Bug Let Third-Parties Access Saved Passwords

posted by janrinok on Sunday August 18 2019, @10:33AM   Printer-friendly
from the I've-always-used-********** dept.

Fnord666 writes:

Mozilla patched a vulnerability in the Firefox web browser with the launch of the 68.0.2 release which would allow unauthorized users to copy passwords from the browser's built-in Save Logins database even when protected with a master password.

"Stored passwords in 'Saved Logins' can be copied without master password entry" according to Mozilla security advisory, which also rates the security flaw tracked as CVE-2019-11733 as having a 'moderate' impact.

The flaw allows anyone with local access to a computer running an unpatched version of Firefox to go to the Save Logins dialog available in Firefox's Options > Privacy & Security preferences menu and copy the password stored for any of the saved logins by right-clicking and choosing the "Copy Password" option.

"When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog," says Mozilla.

"It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords."

Mozilla Firefox Bug Let Third-Parties Access Saved Passwords

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Firefox Bug Let Third-Parties Access Saved Passwords | Log In/Create an Account | Top | 37 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by maxwell demon on Sunday August 18 2019, @12:56PM (3 children)

    by maxwell demon (1608) on Sunday August 18 2019, @12:56PM (#881724) Journal

    So to exploit this vulnerability, the user needs to have access to my unlocked screen running Mozilla. I'd say, at that point it's already game over anyway, as with that level of access, the same attacker could just install a keylogger reading my master password the next time I enter it.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 2) by bzipitidoo on Sunday August 18 2019, @01:40PM (1 child)

    by bzipitidoo (4388) on Sunday August 18 2019, @01:40PM (#881733) Journal

    I don't find entirely believable their assertion that local access is required. JavaScript and plugins can do a lot of things, and there could well still be ways to capture local data and transmit it to a malicious website.

    I have run into the sort of malicious website that creates the uncloseable window that plays, over and over, an audio clip that states your computer is infected while text while the same scary message flashes and scrolls across the window. They were also able to reprogram things so that in the URL bar, any keypress at all takes the browser right back to the malicious website. Haven't seen that one lately. When I last saw it, I had to kill the browser from the command line, then purge the cache and the history. For a website that can do all that, transmitting some data from a local buffer seems like it might be kinda easy in comparison.

    • (Score: 3, Interesting) by maxwell demon on Sunday August 18 2019, @02:56PM

      by maxwell demon (1608) on Sunday August 18 2019, @02:56PM (#881752) Journal

      Of course, once you install a malicious plugin, it's also game over. But a web site shouldn't be able to do that.

      The "uncloseable" window is easy: Just attach JavaScript on the "onclose" event. The URL bar OTOH sounds like something that shouldn't work for a web site (a plugin of course totally can do that). But maybe it was that you weren't actually at the URL bar (did you use the keyboard to get there? The keyboard event could have been caught and the switch to the URL bar prevented). Or of course it might have had nothing to do with the URL bar itself, and instead just monitored the attempt to leave the site using the onunload event (but then, it should not have triggered as soon as you enter something in the URL bar, but only when you press Enter there).

      And of course I wouldn't completely exclude a vulnerability that allows you to read out a password. But it would not be this vulnerability. Instead, I would expect such a vulnerability to exploit the password auto fill-in; maybe by silently loading the login page into an invisible iframe, and then after the browser auto-fills it, reading the data from there.

      --
      The Tao of math: The numbers you can count are not the real numbers.

  • (Score: 2) by Username on Sunday August 18 2019, @10:48PM

    by Username (4557) on Sunday August 18 2019, @10:48PM (#881880)

    Doesn't really seem that bad to me either. I'd even go further and say this bug would be a feature to me, in case I forget my password. Seems simple to just parse some file for the password, then to reset a password through some website which sends a link via email(email client with saved password on machine already), click link, type in new password.

    My biggest pet peeve is mandatory password changes, and complexity requirements. Am I on Password.6 or Password.7? If I am on on 1, I'm going to get lockout for too many attempts. Better to just parse a file.