General discussion

Locked

Firefox saved passwords are easily viewable by others...

By danekan ·
I was just poking around in Firefox options and noticed that under the Preferences -> Security -> Saved passwords there's a small box that says "Show Passwords" ...and bada bing, there are all of my saved passwords in Firefox.

I find this appalling.

I'm well aware that these passwords are easily retrievable anyway by virii (which then send the information out to the virus author's FTP for their retreival), scripts, add-ins, etc., but never did I know that any Joe Schmoe with access to my browser could just go and instantly see all of my passwords. And yes, Joe Schmoe shouldn't really have access to your computer, but things happen. A friend may come over and need to use your Firefox. Or a co-worker may be flying out who needs to print their boarding pass.

I dug a little deeper and didn't really discover anyone that was overly outraged by this.

I even came across one blog where they posted an even easier way to retrieve your saved passwords:

-Go to a web site with a password saved (log out if you're logged in) and get to the page where it's showing your user name and saved password.

-In your browser URL bar copy/paste the code from <a href="http://www.raymond.cc/blog/archives/2007/07/13/easily-show-the-contents-of-password-fields/" >this article</a>.

Voila, your password for that site is revealed.

I imagine this presents some interesting security implications in the corporate environment.

And worse, I don't see any way to disable this feature to show the passwords. Yes, I could just not save any passwords. And yes, you could set a master password for the browser, so that anyone opening the browser is prompted for a master password (but if someone needed to borrow your browser, you'd probably enter the password for them in this case.)

If Microsoft had such a button, people would cry out that it's a security problem. Why does Firefox get the free pass on this?

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Redeeming feature

by santeewelding In reply to Firefox saved passwords a ...

Well, at least it tugs at the conscience of a thief by asking if they're sure they want to show the password(s).

Collapse -

Yes...

by danekan In reply to Redeeming feature

that box made me laugh.

I did notice that setting a master password not only prompts you for the password when you open the browser, but also when you try to access the 'show passwords' ... However the javascript still is able to easily retrieve it to get around the master password.

I guess the moral of the story is everyone should have a master password set for minimal added security.

Collapse -

And can you see other people's saved passwords ?

by Tony Hopkinson In reply to Firefox saved passwords a ...

If you lend your user which is what you are doing to someone else, they are you, and you've trusted they will all your authority, therefore your security and privacy are at their mercy.

Good luck with that. If someone wants to use my machine, I log off, they logon and as them....

Otherwise we might as well give up now.

Collapse -

You choose to Use Firefox yes?

by The 'G-Man.' In reply to Firefox saved passwords a ...

If you don't like it, go elsewhere.

Collapse -

This isn't just about me... it's a corporate security issue IMO

by danekan In reply to You choose to Use Firefox ...

It's a corporate security issue just as much as anything.

The irony of the situation is the 25% market share Firefox has a lot to do with the fact that it's perceived as a browser that's inherently more secure than Internet Explorer. When is the last time you've identified someone getting rogue malware or spyware installed when using Firefox?

This isn't just about me.

Collapse -

Lending your logon to someone else is the issue

by Tony Hopkinson In reply to This isn't just about me. ...

as soon as you do that security left the building.

Collapse -

it's not "my" issue...

by danekan In reply to Lending your logon to som ...

it's a corporate issue, yes perhaps. but people do it all of the time whether or not we as IT people like it or think we can control it.

also, in a heterogeneous environment, there may be times when a normally PC user can't do much else if the system is a mac, etc.

the case of the boarding pass, for example. user in Chicago visiting NY wants to print boarding pass on her bosses' mac. Is she going to really sit there and have the boss log out and close everything? Most people would not. And if they tell you they are, they're probably lying.

Collapse -

Not where I come from they don't

by Tony Hopkinson In reply to it's not "my" issue...

It's either a personal computer or it's not.

I fail to see why the FF boys should sit down and secure passwords of the logged on user for the logged on user, because the user might not be the one logged on.

That's locking the barn after horse has bolted.

I've never worked anywhere where access to my personal computer was required or even expected.

Collapse -

Nobody else uses my PC while I'm logged on

by NickNielsen In reply to Firefox saved passwords a ...

Somebody wants to use my PC, I log off, guest logs on as guest. Voila, no access to passwords.

See how simple it truly is?

Back to Browser Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums