SoylentNews is people
SoylentNews
Mozilla patched a vulnerability in the Firefox web browser with the launch of the 68.0.2 release which would allow unauthorized users to copy passwords from the browser's built-in Save Logins database even when protected with a master password.
"Stored passwords in 'Saved Logins' can be copied without master password entry" according to Mozilla security advisory, which also rates the security flaw tracked as CVE-2019-11733 as having a 'moderate' impact.
The flaw allows anyone with local access to a computer running an unpatched version of Firefox to go to the Save Logins dialog available in Firefox's Options > Privacy & Security preferences menu and copy the password stored for any of the saved logins by right-clicking and choosing the "Copy Password" option.
"When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog," says Mozilla.
"It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords."
Mozilla Firefox Bug Let Third-Parties Access Saved Passwords
(Score: 3, Touché) by AthanasiusKircher on Sunday August 18 2019, @02:13PM (2 children)
I don't think anyone here was claiming that any software is impervious to bugs or exploits. However, given the track record of browsers (including Firefox) with security bugs, as well as the fact that they seem to be releasing updates every week these days (often to fix security bugs) makes me nervous to put my trust in them. I'd prefer to have a dedicated piece of software devoted specifically to maintaining security of passwords, and I don't think that's an irrational decision. Storing them in a piece of software with a codebase as large as Firefox that's changing all the time whose primary job is to connect to the internet, and which has a track record of many kinds of bugs that allow people on the internet to access to things they shouldn't be able to -- well, that honestly seems to be a poor security decision to me.
To me, it's kinda like if you had keys to safe deposit boxes (or other sensitive/valuable materials) and you chose to store them in a locked box in your car visible to onlookers, which you drove around with you everywhere, instead of putting them in -- I don't know -- a hidden safe in your house. Oh, and every time you take that car in for an oil change, the mechanics do updates on the car, which may or may not have to do with the locked box (and may or may not impact its security, but it's wired in electronically to the car, so any update could impact it). While the safe in your house only gets updates rarely and they are specifically to secure the safe.
Sure, both have security issues, but I'd be much more concerned about the one potentially exposed to random places around the world all the time that everyone knows to try to look for/break into.
Two out of the three links you listed primarily deal with password managers that are attached to browsers too, which similarly make me nervous. You'd hope that the separate nature of a browser plug-in would isolate it from vulnerabilities in the browser code, but what if the browser code changes on an update in an unexpected way?
As your third link notes, even standalone password applications can have vulnerabilities in terms of temporary storage in RAM, etc., but most of the time to get access to that stuff, you'd need physical access to the machine (or at least access at the level of the user or an admin to their account remotely). Whereas web browsers are primarily designed to allow a bunch of remote stuff to run on your computer (from cookies to scripts, etc.). Why would you choose to store your material of greatest security concern within that application??
(Score: 2) by RamiK on Sunday August 18 2019, @04:30PM
That. Also, I'm personally using PassFF which means even if the browser's addon gained access and managed to exploit some bug in zx2c4's pass, it would have to contend with some 4096bits of GnuPG. Well, they might be able to find some other bug in the stack that will let them workaround that too... But this is getting state-level targeted and I doubt the triple letter agencies won't just wrench & hammer me for my password instead.
compiling...
(Score: 2) by c0lo on Sunday August 18 2019, @07:26PM
(Let me check to see if I said such a thing. Nope, I didn't)
The rational decision for me is not to rely on any piece of software to manage my passwords (more like passprhases, at 15+ chars long. I'd use longer, but most of the places I deal with limit them at 20 chars).
After all, I need to keep about.. let me see... 6-7 of them to be at "top security" level. The rest either don't mater if cracked or are even throw aways.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford