14

Going deeper into the previous question on Firefox plugins and add-ons malware risks: Could a Firefox add-on potentially decode and capture the encrypted websites' passwords saved in the browser?

Community
  • 1
Guillermo
  • 149
  • 3

2 Answers2

10

In Firefox: Yes, absolutely. Nothing about the Firefox architecture prevents them from doing so.

While the passwords are in theory "encrypted" while stored on disk, the decryption key is also stored on disk. Therefore, any software with access to the filesystem will find it trivial to decrypt the stored passwords and access them. (If you don't want to take my word on it, here is one simple way to convince yourself that this is possible: The Firefox browser can decrypt them without prompting you for any secrets.)

In Firefox, plug-ins can run native code, so they can access the filesystem. Therefore, they can grab and decrypt all your stored passwords. They can also exfiltrate them out over the network, if they choose.

In Firefox, extensions can run arbitrary shell commands and access the filesystem, so they too can grab and decrypt all your stored passwords, and exfiltrate them over the network.

There is a light review process for populara Firefox extensions, which might make it harder for unsophisticated extensions to mount such an attack. However, this review process can be easily subverted by malware: extensions can dynamically load code from external sources (e.g., via <SCRIPT SRC=...> or eval), and the attacker can arrange for that externally-loaded code to be benign during review and malicious during execution.

Therefore, there is nothing that really prevents a malicious Firefox plug-in or Firefox extension from mounting such an attack.

(Interestingly, Chrome's extension system has better protection against this kind of attack, for extensions.)

D.W.
  • 98,420
  • 30
  • 267
  • 572
2

Once you run untrusted software on your machine it's not your machine anymore, and you have to assume that everything is compromised. The passwords exist as plaintext at some point - and thus they can be captured and sent to an attacker.

Firefox does several things to make capture of those passwords harder - it encrypts them (but this encryption is weak); it allows you to secure them with a master password; it keeps the (partially) encrypted file in a directory with a random name; etc. It's probably easier to attack other parts of the system; for example, there are keylogging firefox extensions.

Here's an old document talking about saved password safety:

http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one

Here is software to attack the Firefox passwords (but not as a plug in from the browser, thus not answering the question)

http://securityxploded.com/firemaster.php

Here's a link to a good answer on superuser:

https://superuser.com/questions/20168/how-safe-is-firefox-password-manager/20177#20177

Community
  • 1
DanBeale
  • 2,064
  • 3
  • 18
  • 27
  • 2
    Decrypting the "encrypted" password file is trivial. You are vastly overestimating the difficulty of doing so. – D.W. Aug 04 '11 at 04:34
  • What? I link to software that decrypts the "encrypted" password file. How is that 'vastly overestimating' the difficulty of doing so? – DanBeale Aug 04 '11 at 09:22
  • edited my answer to add information from D.W. – DanBeale Aug 04 '11 at 10:06