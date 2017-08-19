from the I've-always-used-********** dept.
Mozilla patched a vulnerability in the Firefox web browser with the launch of the 68.0.2 release which would allow unauthorized users to copy passwords from the browser's built-in Save Logins database even when protected with a master password.
"Stored passwords in 'Saved Logins' can be copied without master password entry" according to Mozilla security advisory, which also rates the security flaw tracked as CVE-2019-11733 as having a 'moderate' impact.
The flaw allows anyone with local access to a computer running an unpatched version of Firefox to go to the Save Logins dialog available in Firefox's Options > Privacy & Security preferences menu and copy the password stored for any of the saved logins by right-clicking and choosing the "Copy Password" option.
"When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog," says Mozilla.
"It was found that locally stored passwords can be copied to the clipboard through the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords."
Mozilla Firefox Bug Let Third-Parties Access Saved Passwords
(Score: 0) by Anonymous Coward on Sunday August 18, @10:41AM (1 child)
with the launch of the 68.0.2 release
Just the 68,or all versions?
(Score: 0) by Anonymous Coward on Sunday August 18, @10:48AM
It's fixed in the mentioned version. It's not clear which prior versions are vulnerable.
(Score: 1) by jmichaelhudsondotnet on Sunday August 18, @10:42AM (5 children)
Almost as bad as failing to renew the root cert required by your entire add on community, causing every browser's protection to fail over the weekend and forcing people to turn on a tracking feature to install the update, then making fun of them for asking questions. Oh and the browsers without their addons were likely revealing unique identifiers that could be used to derive the identity of previously stored traffic that had tiil then been successfully anonymized.
Like the cert issue, this strikes me as so simple of a failure in so secure of an area that accidental explanations are difficult to believe. At least it demonstrates how seriously they double check the most secure areas of their product, or whatever a browser is anymore, so we can adjust our trust meter calibrations.
(Score: 5, Insightful) by Bot on Sunday August 18, @11:37AM (4 children)
Well indeed, being able to copy a password without the master password means the master password does not encrypt the password. So either:
- they do not know how to write a password manager
- they don't test for password manager related bugs
- they are malicious
The third option actually looks less terrifying.
IMHO google owns Mozilla and wants the browser to die by a thousand papercuts
Hopefully something will get out of its rendering engine else the webkit monoculture must be closely inspected.
(Score: 0) by Anonymous Coward on Sunday August 18, @02:34PM (3 children)
Firefox master password has been long ago reported as weak [fossbytes.com], so what do they correct now is futile.
(Score: 2) by maxwell demon on Sunday August 18, @03:03PM (2 children)
From the link, I get it's only weak if you use a weak master password. Mine has more than 20 characters, with letters, digits and special characters, so I guess I'm fine.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday August 18, @03:39PM (1 child)
The weakness comes from the number of iterations used for hashing the password, I have should used this link instead, where the issue is explained with more detail [sophos.com].
Maybe long passwords are secure, I am no crypto expert, but using subpar methods below the standard recommendation, seems a bit shady.
(Score: 0) by Anonymous Coward on Sunday August 18, @04:22PM
number of iterations is a linear problem, so not really that important. you just need like 10000 and you are good.
number of characters is an exponential problem, so much more important.
they are complimentary, but you are not going to save yourself with a shit password if you just bump iteration count.
(Score: 2) by RamiK on Sunday August 18, @11:23AM (4 children)
Anyone remotely security-conscious was already using a password manager like passff and syncthing to backup and distribute their passwords between their machines anyhow.
compiling...
(Score: 2) by RamiK on Sunday August 18, @11:32AM
And Floccus [github.com] for the bookmarks before anyone asks.
compiling...
(Score: 4, Insightful) by c0lo on Sunday August 18, @12:48PM (2 children)
Because everybody knows that, unlike any other software, the password managers are [soylentnews.org] bug [soylentnews.org] free [soylentnews.org].
(Score: 3, Touché) by AthanasiusKircher on Sunday August 18, @02:13PM (1 child)
I don't think anyone here was claiming that any software is impervious to bugs or exploits. However, given the track record of browsers (including Firefox) with security bugs, as well as the fact that they seem to be releasing updates every week these days (often to fix security bugs) makes me nervous to put my trust in them. I'd prefer to have a dedicated piece of software devoted specifically to maintaining security of passwords, and I don't think that's an irrational decision. Storing them in a piece of software with a codebase as large as Firefox that's changing all the time whose primary job is to connect to the internet, and which has a track record of many kinds of bugs that allow people on the internet to access to things they shouldn't be able to -- well, that honestly seems to be a poor security decision to me.
To me, it's kinda like if you had keys to safe deposit boxes (or other sensitive/valuable materials) and you chose to store them in a locked box in your car visible to onlookers, which you drove around with you everywhere, instead of putting them in -- I don't know -- a hidden safe in your house. Oh, and every time you take that car in for an oil change, the mechanics do updates on the car, which may or may not have to do with the locked box (and may or may not impact its security, but it's wired in electronically to the car, so any update could impact it). While the safe in your house only gets updates rarely and they are specifically to secure the safe.
Sure, both have security issues, but I'd be much more concerned about the one potentially exposed to random places around the world all the time that everyone knows to try to look for/break into.
Two out of the three links you listed primarily deal with password managers that are attached to browsers too, which similarly make me nervous. You'd hope that the separate nature of a browser plug-in would isolate it from vulnerabilities in the browser code, but what if the browser code changes on an update in an unexpected way?
As your third link notes, even standalone password applications can have vulnerabilities in terms of temporary storage in RAM, etc., but most of the time to get access to that stuff, you'd need physical access to the machine (or at least access at the level of the user or an admin to their account remotely). Whereas web browsers are primarily designed to allow a bunch of remote stuff to run on your computer (from cookies to scripts, etc.). Why would you choose to store your material of greatest security concern within that application??
(Score: 2) by RamiK on Sunday August 18, @04:30PM
That. Also, I'm personally using PassFF which means even if the browser's addon gained access and managed to exploit some bug in zx2c4's pass, it would have to contend with some 4096bits of GnuPG. Well, they might be able to find some other bug in the stack that will let them workaround that too... But this is getting state-level targeted and I doubt the triple letter agencies won't just wrench & hammer me for my password instead.
compiling...
(Score: 0) by Anonymous Coward on Sunday August 18, @11:27AM (2 children)
The CVE linked, CVE-2019-11733 [mitre.org], only contains placeholder data. It isn't an actual CVE as of the time of this comment.
(Score: 2) by Bot on Sunday August 18, @11:52AM (1 child)
You are supposed to read TF Title of the submission and comment on that. Only if you are really stumped you can briefly look at TF summary. Following links, reading the original submission and other similar fancy behaviour is not part of the tradition of this site nor of its ancestor.
(Score: 0) by Anonymous Coward on Sunday August 18, @02:13PM
I will hang my head in shame.
Oh, and Fuck Beta.
(Score: -1, Troll) by Anonymous Coward on Sunday August 18, @11:48AM
The Mozilla Foundation has grown beyond any such petty concerns as a browser.
Their main focus now seems to be political crap.
(Score: 2) by maxwell demon on Sunday August 18, @12:56PM (2 children)
So to exploit this vulnerability, the user needs to have access to my unlocked screen running Mozilla. I'd say, at that point it's already game over anyway, as with that level of access, the same attacker could just install a keylogger reading my master password the next time I enter it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by bzipitidoo on Sunday August 18, @01:40PM (1 child)
I don't find entirely believable their assertion that local access is required. JavaScript and plugins can do a lot of things, and there could well still be ways to capture local data and transmit it to a malicious website.
I have run into the sort of malicious website that creates the uncloseable window that plays, over and over, an audio clip that states your computer is infected while text while the same scary message flashes and scrolls across the window. They were also able to reprogram things so that in the URL bar, any keypress at all takes the browser right back to the malicious website. Haven't seen that one lately. When I last saw it, I had to kill the browser from the command line, then purge the cache and the history. For a website that can do all that, transmitting some data from a local buffer seems like it might be kinda easy in comparison.
(Score: 2) by maxwell demon on Sunday August 18, @02:56PM
Of course, once you install a malicious plugin, it's also game over. But a web site shouldn't be able to do that.
The "uncloseable" window is easy: Just attach JavaScript on the "onclose" event. The URL bar OTOH sounds like something that shouldn't work for a web site (a plugin of course totally can do that). But maybe it was that you weren't actually at the URL bar (did you use the keyboard to get there? The keyboard event could have been caught and the switch to the URL bar prevented). Or of course it might have had nothing to do with the URL bar itself, and instead just monitored the attempt to leave the site using the onunload event (but then, it should not have triggered as soon as you enter something in the URL bar, but only when you press Enter there).
And of course I wouldn't completely exclude a vulnerability that allows you to read out a password. But it would not be this vulnerability. Instead, I would expect such a vulnerability to exploit the password auto fill-in; maybe by silently loading the login page into an invisible iframe, and then after the browser auto-fills it, reading the data from there.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by hendrikboom on Sunday August 18, @01:13PM (1 child)
Does ssh -X count as local access?
(Score: 0) by Anonymous Coward on Sunday August 18, @04:28PM
Local access means you have control over logged in user's session and are at the terminal.
FWIW, firefox refuses to run on a different DISPLAY if it is already running.