Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday August 18 2019, @10:33AM   Printer-friendly
from the I've-always-used-********** dept.

Mozilla patched a vulnerability in the Firefox web browser with the launch of the 68.0.2 release which would allow unauthorized users to copy passwords from the browser's built-in Save Logins database even when protected with a master password.

"Stored passwords in 'Saved Logins' can be copied without master password entry" according to Mozilla security advisory, which also rates the security flaw tracked as CVE-2019-11733 as having a 'moderate' impact.

The flaw allows anyone with local access to a computer running an unpatched version of Firefox to go to the Save Logins dialog available in Firefox's Options > Privacy & Security preferences menu and copy the password stored for any of the saved logins by right-clicking and choosing the "Copy Password" option.

"When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog," says Mozilla.

"It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords."

Mozilla Firefox Bug Let Third-Parties Access Saved Passwords


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday August 18 2019, @02:34PM (3 children)

    by Anonymous Coward on Sunday August 18 2019, @02:34PM (#881747)

    Firefox master password has been long ago reported as weak [fossbytes.com], so what do they correct now is futile.

  • (Score: 2) by maxwell demon on Sunday August 18 2019, @03:03PM (2 children)

    by maxwell demon (1608) on Sunday August 18 2019, @03:03PM (#881759) Journal

    From the link, I get it's only weak if you use a weak master password. Mine has more than 20 characters, with letters, digits and special characters, so I guess I'm fine.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 1, Informative) by Anonymous Coward on Sunday August 18 2019, @03:39PM (1 child)

      by Anonymous Coward on Sunday August 18 2019, @03:39PM (#881768)

      The weakness comes from the number of iterations used for hashing the password, I have should used this link instead, where the issue is explained with more detail [sophos.com].

      Maybe long passwords are secure, I am no crypto expert, but using subpar methods below the standard recommendation, seems a bit shady.

      • (Score: 1, Insightful) by Anonymous Coward on Sunday August 18 2019, @04:22PM

        by Anonymous Coward on Sunday August 18 2019, @04:22PM (#881789)

        number of iterations is a linear problem, so not really that important. you just need like 10000 and you are good.

        number of characters is an exponential problem, so much more important.

        they are complimentary, but you are not going to save yourself with a shit password if you just bump iteration count.