Skip to content
Naked Security Naked Security

Firefox fixes “master password” security bypass bug

The bug's in Firefox, but our advice is worth reading whether you use Firefox or not.

Firefox just pushed out an update to fix a security glitch…

…in its password manager.

Mozilla delivers a new major version every six weeks on what we jocularly call fortytwosday, given that it always comes out on a Tuesday (and that 6 × 7 = 42).

Point releases, mainly to fix security issues, often come out between the main fortytwosday versions, as in this case, taking the full version number of the current 68-flavoured release from 68.0.1 to 68.0.2.

What’s interesting in this release is the security fix it delivers:

CVE-2019-11733: Stored passwords in ‘Saved Logins’ can be copied without master password entry.

When a master password is set, it is required to be entered before stored passwords can be accessed in the ‘Saved Logins’ dialog. It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Mozilla rates this fix as “moderate” – after all, it doesn’t let just anyone extract web passwords any time from anywhere – but if you are a Firefox user, it’s worth checking that you are up-to-date.

Even if you have automatic updating turned on, make sure you know how to verify manually that updating is working correctly. (By the way, that goes for all the updates you’re subscribed to, including those for your operating system and other apps.)

The easiest way is simply to choose the About Firefox menu item, which tells you the version number you’re running now, checks for any updates, and offers you any updates that you haven’t received yet.

On a Mac, the About box is accessed from the Firefox menu item; on Windows and Linux, it’s HelpAbout Firefox.

Many Windows users run with the Firefox menu bar turned off to save screen space. If you don’t have the File Edit View... menu visible, you can enable it by right clicking in the top bar of the Firefox window and turning on the Menu Bar option. Pressing the Alt key will also toggle the menu bar on and off. Alternatively, click the three-bar icon (also known as the hamburger button) at the top right and choose the Help menu from there.

If there’s an update available, you’ll see a [Restart to update Firefox] button:

Click it and you’re done – Firefox will remember the tabs you have open and the session cookies you have set, exit, update, reload and open your tabs back up again.

If all goes well, you’ll be back where you were, still logged in to the same sites and ready to continue.

Go back to the About box and confirm that you’re up-to-date:

Two more controversies…

By the way, Firefox’s password manager raises two interesting controversies even in the absence of a security problem like the one mentioned here.

The password manager is turned on by default, but without a master password, as you can see by doing a fresh install and then going to the Privacy & Security section on the Preferences page:

In other words, a default Firefox setup essentially suffers from the bug described in this article all the time, because there’s no master password used by default, and therefore you never need to enter one.

We recommend never keeping unprotected password databases on your computer, so we suggest that you either:

  • Turn Firefox’s Ask to save logins and passwords for websites option OFF, or
  • Turn Firefox’s Use a master password ON.

If you’ve already got a standalone password manager app that you use for general password security, you probably want to forgo Firefox’s built-in password storage and use your chosen app instead.

Although there’s an adage that says you shouldn’t put all your eggs in one basket, there are disadvantages to using multiple password managers, namely that it’s much harder to keep everything in synch and backed up.

After all, there’s another cybersecurity adage that says, when it comes to passwords, you should put all your eggs in one basket, and watch that basket.

To get rid of any login information you’ve entrusted to Firefox, , accidentally or otherwise, use the [Saved Logins...] button shown above, and then [Remove All] to empty Firefox’s password database.

Oh, and while you’re about it, turn on two-factor authentication (2FA) for any online accounts that support it – it’s a minor inconvenience for you but a significant additional barrier for cybercrooks.

WATCH NOW – PASSWORDS AND PASSWORD MANAGERS

No video? Watch on YouTube. No audio? Click the [Subtitles] icon for closed captions.

14 Comments

I’m pretty sure you made this up:

“After all, there’s another cybersecurity adage that says, when it comes to passwords, you should put all your eggs in one basket, and watch that basket.”

but I like it and will be quoting you!

Reply

The original “watch that basket” saying seems to date to the 19th century and is variously ascribed to Andrew Carnegie and Samuel Clemens, better known as Mark Twain. Twain apparently used the phrase in his novel Pudd’nhead Wilson (not in reference to cybersecurity, of course).

I first came across it as a cybersecurity adage, referenced back to the aforementioned Pudd’nhead Wilson, in the first edition of Firewalls and Internet Security: Repelling the Wily Hacker by Messrs. Cheswick and Bellovin, published in the 1990s. Each chapter had a pithy quote, usually of a literary sort, at the start.

So I am glad you like it and encourage you to use it, but I didn’t come up with it – I merely memorised it because I liked it myself :-)

Reply

dear Mozilla, i used to be naive enough to put a mail with all details of log in ID and password for all the mail id i had each for the needs of personal, office, news-feed/you-tube comments etc. so as to quick recall the passwords. Obviously the ID/password details were lifted and well utilized by the thieves.
The thieves are not among somebody in Mauritania or Moon.
The thieves are among one and the same persons who you meet and interact everyday or frequently.
Thank you Mozilla for the update. Please help the Ifs and buts cited above. Thank you again

Reply

The passwords are encrypted on disk using the master password so how is it possible to copy them without the master password?

Reply

Good question; not sure; makes you wonder!

I use a loopback device (known as an HDI or Hard Disk Image in macOS terminology) that is encrypted in its entirety. My passwords are into encrypted files inside that encrypted BLOB. So I can mount the disk with a master password (thus it is not needed again until I “eject” the virtual volume) but I still need a secondary password each time for each account.

It’s a bit more hassle than a typical password manager but there are parts of my life where I find the saying “more haste, less speed” (or perhaps “slow and steady wins the race”) helps me a lot – overall I am as efficient as I wish to be but every now and then I am forced to stop/think/connect.

It’s like commuting from one side of London to the other on a bicycle – when I first did it I would find myself overtaking – flying past! – even experienced couriers all the time. “Hey, I’m quick!” It didn’t take long to realise that they overtook me back just as often and were therefore capable of much, much longer journeys over the course of a whole day at the same average speed that I achieved by burning myself out in an hour.

Reply

According to the article, the passwords are copied from the *clipboard* (i.e. the system memory) after selecting Copy Password from a context menu. So there’s no need to get to the data-at-rest portion of the equation.

Reply

That’s an excellent question, Wanker. I would like to see Naked Security, with its “journalistic privilege”, seek an answer from Mozilla.

Reply

On Windows, you don’t need to turn the menu bar on permanently; you can just hit the Alt key to temporarily show it.

But you don’t even need to do that to access the “About Firefox” option. Just click the “hamburger menu” button at the right-hand edge of the toolbar, then “Help -> About Firefox”.

Reply

This is pretty much a non-issue, as you must enter the master password before you can even get to the saved logins screen with the affected context menu. Clicking show passwords prompts for the password a second time.

Bottom Line, there’s no way to exploit this unless you already entered the master password once….

Reply

Bubba is correct. The Master Password must be entered at least once in the current session before encrypted logins can even be accessed.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!