- Earlier Firefox versions allowed user passwords to be copied even if a master password was set.
- An unauthenticated person with access to the target’s computer could use the ‘Saved Logins’ dialog to copy the passwords.
- The latest bug-fixing version has resolved this problem, but people still need to set up a master password.
Mozilla has released Firefox version 68.0.2, fixing CVE-2019-11733 which is a severe vulnerability that concerns the ability of an unauthorized user to copy passwords that are stored in the browser’s “Saved Logins” database. These passwords belong to a Firefox user and stay hidden behind a master password that serves as that person’s login key. However, the particular flaw allows the stealing of the user credentials without knowing the master password, so this crucial safety step is bypassed altogether. What is needed for the attack to work is local access to the browser that was used by the target person, a prerequisite that could be easily fulfilled in a corporate environment.
The attacker would be able to see the passwords and copy them by merely opening the “Saved Logins” dialog which is to be found under Options > Privacy & Security. By right-clicking on the entry, the user is given the option to “Copy Password” to the clipboard, even if a master password has been set. With version 68.0.2, anyone who tries to copy a password from this dialog will be prompted to enter the master password, so the flaw has been plugged.
Now, this means that you should set up a master password if you haven’t done this already. You may add a master password by visiting Firefox Settings (click on the cog), hop to the “Privacy & Security” section and check the “Use a master password” box. Unfortunately, Firefox isn’t prompting the user to do this by default, so even in version 68.0.2, your passwords would remain obtainable if a master password isn’t set.
Another safety measure that you should take manually is to enable the “auto-updates” on your Firefox browser, so that the software downloads vulnerability-fixing patches like this most recent one. You may do that through the settings again, under the “General > Firefox Updates” section, and enjoy some peace of mind.
On a side note, it is always a good practice to lock the screen when you’re away from your keyboard, especially when you’re using a computer that can be easily accessed by others during your absence.