Mozilla Firefox Bug is Allowing User Passwords to be Stolen (Now Fixed via an Update)

  • Earlier Firefox versions allowed user passwords to be copied even if a master password was set.
  • An unauthenticated person with access to the target’s computer could use the ‘Saved Logins’ dialog to copy the passwords.
  • The latest bug-fixing version has resolved this problem, but people still need to set up a master password.

Mozilla has released Firefox version 68.0.2, fixing CVE-2019-11733 which is a severe vulnerability that concerns the ability of an unauthorized user to copy passwords that are stored in the browser’s “Saved Logins” database. These passwords belong to a Firefox user and stay hidden behind a master password that serves as that person’s login key. However, the particular flaw allows the stealing of the user credentials without knowing the master password, so this crucial safety step is bypassed altogether. What is needed for the attack to work is local access to the browser that was used by the target person, a prerequisite that could be easily fulfilled in a corporate environment.

The attacker would be able to see the passwords and copy them by merely opening the “Saved Logins” dialog which is to be found under Options > Privacy & Security. By right-clicking on the entry, the user is given the option to “Copy Password” to the clipboard, even if a master password has been set. With version 68.0.2, anyone who tries to copy a password from this dialog will be prompted to enter the master password, so the flaw has been plugged.

firefox_flaw

Now, this means that you should set up a master password if you haven’t done this already. You may add a master password by visiting Firefox Settings (click on the cog), hop to the “Privacy & Security” section and check the “Use a master password” box. Unfortunately, Firefox isn’t prompting the user to do this by default, so even in version 68.0.2, your passwords would remain obtainable if a master password isn’t set.

master_password

Another safety measure that you should take manually is to enable the “auto-updates” on your Firefox browser, so that the software downloads vulnerability-fixing patches like this most recent one. You may do that through the settings again, under the “General > Firefox Updates” section, and enjoy some peace of mind.

firefox_updates

On a side note, it is always a good practice to lock the screen when you’re away from your keyboard, especially when you’re using a computer that can be easily accessed by others during your absence.

Have something to comment on the above? Feel free to share your thoughts with us in the comments down below, or join the discussion on our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Latest

Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari