Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

35 of 74 comments (clear)

  1. Third-party for the win by 93+Escort+Wagon · · Score: 4, Insightful

    On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on). On Gnome (Linux) I believe you can do the same thing with Gnome’s keychain manager. And certainly tools like LastPass will integrate with the browser.

    Don’t get me wrong - Firefox should fix this. But you don’t need to rely on their built-in password vault.

    --
    #DeleteChrome
    1. Re: Third-party for the win by Anonymous Coward · · Score: 4, Insightful

      There's good reason to not use the Windows one. Personally I don't want the FF master password to be blown away by domain admin password reset.

    2. Re:Third-party for the win by beckett · · Score: 1

      On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on)

      link for this add-on? Firefox Quantum doesn't interact with the Mac OS Keychain, and the old add-on is incompatible with Quantum.

    3. Re:Third-party for the win by 93+Escort+Wagon · · Score: 2

      You're right. While Firefox was my main browser for a long time, I mostly stopped using it a few years ago - I didn't think about the fact that their recent Quantum reboot basically killed off most of their add-ons (even those they'd started including by default).

      It also killed off support of the Gnome keyring.

      Another reason I'm glad I moved on...

      --
      #DeleteChrome
    4. Re:Third-party for the win by 93+Escort+Wagon · · Score: 3, Insightful

      It is worth noting that Firefox's Extended Support Release (ESR) channel is still using the previous engine (version 52), and supports all the "old" add-ons.

      If you're not already on ESR, it might be worth moving over there while you evaluate whether it makes any sense to continue being a Firefox user.

      --
      #DeleteChrome
    5. Re:Third-party for the win by viperidaenz · · Score: 1

      PCI-DSS allows SSL traffic to be monitored.

      Actually it probably forbids SSL, as it's an old, weak encryption standard. TLS is where it's at now.

    6. Re:Third-party for the win by ls671 · · Score: 1

      I never have used any password manager. Just the name should be sufficient to scare you off.

      --
      Everything I write is lies, read between the lines.
    7. Re:Third-party for the win by EelcoV · · Score: 1

      MacOS using the system keychain? I wish it were true. But it isn't. See bug 106400 [https://bugzilla.mozilla.org/show_bug.cgi?id=106400].

    8. Re:Third-party for the win by TheRaven64 · · Score: 1

      What's the Linux one? Android has secure credentials storage, but I've not seen anything standard on other *NIX systems. The Mac / iOS one is built on Mach IPC and so can implement very fine-grained access control (e.g. set per-application access to each item and require you to re-authorise an application if its binary or shared library dependencies change). Windows provides primitives for this (and has for the entire NT series) but I don't know if anyone has used them to build a sensible credentials manager (MS appears to have added one in 8.1, but I didn't look in any detail).

      --
      I am TheRaven on Soylent News
    9. Re:Third-party for the win by TheRaven64 · · Score: 1

      Last time I looked at the Firefox password storage, it was entirely in process, so a compromise of one tab could dump your entire password store. In contrast, the macOS keychain daemon is a separate process and the browser must request each password individually. In Safari (and, I think, Chrome), this is done by the parent process of the renderer processes, which also checks the domain associated with the renderer. If you compromise a tab, you can request all credentials associated with that domain. If you navigate to another domain, you will (usually) get a new renderer process, which should not inherit the compromise.

      Rolling your own security when the OS provides the required functionality is almost always the wrong choice, unless you're employing better security engineers than the OS vendor. In Mozilla's case, this isn't true. Apple, Google, and Microsoft all shipped browsers that were split into multiple sandboxed processes before Mozilla, which managed to take almost 10 years between the first mainstream web browser adopting this model and Firefox doing the same.

      --
      I am TheRaven on Soylent News
  2. What this means? by Anonymous Coward · · Score: 2, Informative

    So just to be clear.

    You'd still need to brute force crack one the hard way, with no rainbow tables, or finding a hash collision, but once you find one, you know the master password for all.

    1. Re:What this means? by mysidia · · Score: 1

      The problem is "hard way" is an incorrect description.... the SHA1 hash algorithm is not computationally expensive, as it is not intended for deriving a a key from a password in order to "stretch" the key strength and protect the password.

      Brute forcing the password protected by only SHA1 is an _easy_ process and can be GPU accelerated to approximately 8.5 Billion hash ops per second on a GTX 1080, and a reference system with 8 of the nVIDIA GPUs can do SHA1 brute forcing at
        68 Billion SHA1 passwords per second with Hashcat.

  3. Tinfoil suspect level 10000 by kaptink · · Score: 1

    Correct me if i'm wrong. But shouldn't a main stream browser like firefox be using something that actually could be considered even remotely secure for the mother password of all your other passwords? It sounds almost intentional, if not exceedingly negligent. And after nine years and it's now only coming to light? Something doesn't sound right.

    --
    Those who can, do. Those who cannot, sue.
    1. Re:Tinfoil suspect level 10000 by AHuxley · · Score: 1

      Safari and the support and quality of Mac OS?
      Firefox and its support for passwords?
      Users like an OS/browser filling in their most enjoyed sites so they can get to content without having to enter in a lot of different passwords every day.
      Thats a lot of trust.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Tinfoil suspect level 10000 by arglebargle_xiv · · Score: 2

      They would have fixed it years, but they were all occupied making Firefox look like a crap copy of Chrome and adding "features" no-one ever asked for or wanted.

    3. Re: Tinfoil suspect level 10000 by Carewolf · · Score: 2

      Any malware might as well install a keylogger then. You are assuming a compromised machine to argue it is compromised by this.

  4. Golden rule by fluffernutter · · Score: 1

    The golden rule of technology: Just because you can do it doesn't mean you should. This means more today than ever.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:Golden rule by Anonymous Coward · · Score: 1

      More accurate Golden rule for tech security is this: If it makes your tech life convenient, then it is NOT secure.

  5. And thus . . . by quonset · · Score: 1

    why I never save my passwords in any browser.

  6. Yet another overblown claim, again by eSyr · · Score: 5, Insightful

    So what? Yes, SHA-1 is a bit dated and is definitely not future-proof, but so far only second image type of attack has been shown for it (and it took immense amount of computational resources), and reversing is still not practically possible. Heck, even MD5 would be sort of OK for personal use (no one keeps, or, is ought to keep, top-secret passwords in browser anyway).

    The fact that Firefox still uses SHA-1 just means that it's time (OK, it's time for 2—8 years already) to move to more secure hashes, nothing more.

  7. Is it a remote exploit? by 140Mandak262Jamuna · · Score: 3, Funny
    It looks more like someone with access to your machine, can write a script to brute force and find the master password and unlock all remaining passwords.

    More likely to be used by roommates, spouses and cohabitating couples than by Russian hackers.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Is it a remote exploit? by jimbolauski · · Score: 1

      Is the fix to this vulnerability to get a slower machine?

      --
      Knowledge = Power
      P= W/t
      t=Money
      Money = Work/Knowledge so the less you know the more you make
  8. Amplification schemes are worth much by WaffleMonster · · Score: 4, Insightful

    Exponents protect secrets.
    Factors are window dressing designed to make things look nice.

    I personally think everyone should use amplification because it really does make guessing more difficult with no substantive downsides.

    Yet at the same time to conclude failure to use amplification means "poorly secured" is comically wrong.

    The fact operations are repeated thousands of times over always elicits those who bring up obvious point really takes x times more resources to obtain a result.

    Yet it is not so clear what the relevance is. So what if it takes a day vs a few minutes or months vs few hours or the difference between doing it yourself vs farming the job out to thousands or millions of processors?

    At the end of the day calculus is not significantly changed regardless of whether amplification is used or not.

    1. Those with low entropy keys should be worried.

    2. Those with high entropy keys are better off finding something else to worry about.

    The more bits you add to the search space more worthless amplification schemes look in comparison.

  9. Re:Ok, so the problems here are: by WaffleMonster · · Score: 2

    1) Using SHA-1 in this day and age; and

    There is nothing wrong with use of SHA-1 in this context based on publically available information about shortcomings of SHA-1.

  10. Re:Ok, so the problems here are: by EMN13 · · Score: 1

    In fact, even MD5 hasn't been broken for this use case. Pre-image attacks are very hard to pull off.

  11. And what is the problem with that? by gweihir · · Score: 5, Interesting

    SHA1 is not broken for this use. If the password is weak, you could brute-force it, sure. But then the user already has a problem. If the password is strong, then this is perfectly secure. Of course, using Argon 2 would be better, bit if the password is really weak, that can only do so much to make it more secure.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:Ok, so the problems here are: by viperidaenz · · Score: 2

    In this context, the SHA-1 hash only has one iteration.
    In 2010, it only cost $2.10 to crack a 6 char password in an EC2 instance.
    https://www.geek.com/news/rese...
    Since then hardware has become much faster. Today's GPU's can do several billion hashes per second.
    There have also been more advances made in brute forcing SHA-1
    https://nakedsecurity.sophos.c...

  13. Re: Firefox sucks, say it isn't so. by Carewolf · · Score: 1

    Yeah it least it's password manager doesn't involve uploading it as clear text to Google's servers like Chrome's does

  14. Cleartext attack / Password reuse by DrYak · · Score: 1

    But Firefox isn't using SHA-1 as a password hash; it's being used to generate deterministic noise for generating an encryption key, at which point the hash is thrown away. So if you generate billions of hashes that won't help you because you don't have the original hash to compare against.

    Until you find a situation where you at least know 1 password stored in a database (stolen through other channels - e.g.: one of the webserver database leaks mentionned regularily on haveibeenpwnd.com) or rely on password reuse (there's bound to be at lest 2x the same entry over the whole password data base).

    At that point, the idea is to brute force the master password, until either two entries decrypts to the same content or until at one entry in the data base matches the 1 clear password you know.

    Of course it's much slower (every single entry in the database uses a different salt, so you need to iterate over the whole database every single time for every iteration of the brute force attack), so it's definitely not the situation of "brute force a 6 characters password for 2 dollars on EC2", but it's still within the realm of possibilities.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  15. Oh noes! by Anonymous Coward · · Score: 1

    While SHA1 is dated, yes, it's still better than let's say Pidgin - which stores all passwords plaintext inside the account XML file.
    I'm sure lots of people that use it have it connected with their google account as well. (Insecure accounts boo hiss enabled and all that guff)

  16. SSL no, TLS yes, monitoring yes, logging no by raymorris · · Score: 1

    You are correct, SSL is a PCI fail. As is TLS 1.0. TLS 1.1 is frowned upon but it won't make you fail PCI.

    Real-time analysis of TLS traffic is okay. GP said it was LOGGED. That's probably a fail, because the logs probably aren't secured enough.

  17. Don't store critical data in browsers by ilsaloving · · Score: 1

    Browsers are the front line application that is the first to be hit by any malicious software out there. That means it should be considered the LEAST secure, and treated accordingly.

    Having a password manager is good, but it HAS to be kept external to the browser, so if the browser is compromised (or it does something moronic like autofilling fake login forms), then it can't compromise sensitive data along with it.

    There are plenty of them out there, from 1Password to LastPass, it's just a matter of education and encouraging people to use these tools.

  18. Sounds good by OrangeTide · · Score: 1

    So I shouldn't let people have access to my computer?

    --
    “Common sense is not so common.” — Voltaire
  19. retcon superpowers by epine · · Score: 1

    But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced.

    To support the article title, the logically necessary claim is that it was easy to brute force nine years ago.

    Not that I would expect a security researcher able to improve on SHA1 to be pedantic about these kinds of "minor" details.

  20. Re: Firefox sucks, say it isn't so. by Carewolf · · Score: 1

    Source?

    Chromium source code. It is open source.

    It is also the only way it can work, since they don't control the validation mechanism of all the websites they are storing websites for they can't store a hash which is the usual strategy, so they have to have a full clear-text password for the password syncing to work. Additionally you can go to their service and SEE the passwords store, again demonstrating that Google has them in full clear-text.