Mozilla patched a vulnerability in the Firefox web browser with the launch of the 68.0.2 release which would allow unauthorized users to copy passwords from the browser's built-in Save Logins database even when protected with a master password.
"Stored passwords in 'Saved Logins' can be copied without master password entry" according to Mozilla security advisory, which also rates the security flaw tracked as CVE-2019-11733 as having a 'moderate' impact.
The flaw allows anyone with local access to a computer running an unpatched version of Firefox to go to the Save Logins dialog available in Firefox's Options > Privacy & Security preferences menu and copy the password stored for any of the saved logins by right-clicking and choosing the "Copy Password" option.
"When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog," says Mozilla.
"It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords."
Mozilla Firefox Bug Let Third-Parties Access Saved Passwords
(Score: 3, Insightful) by darkfeline on Sunday August 18 2019, @09:19PM (1 child)
The stored passwords aren't encrypted by the master password? That means anyone with access to the database can get the plaintext passwords. Then what is even the point of the master password?
For reference, see how Chromium does it: https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux_password_storage.md [googlesource.com]
Join the SDF Public Access UNIX System today!
(Score: 2) by Freeman on Monday August 19 2019, @02:11PM
Convenience and if the malicious 3rd party already has access to my computer. I'm totally screwed anyway.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"