Mozilla Firefox Bug Could Allow Copying Saved Passwords Without Master Password

Mozilla has addressed a serious security flaw in its Firefox browser. The vulnerability could have exposed saved passwords from the browser. Anyone with local access to the system could exploit this Mozilla Firefox bug without the need for a Master password.

Mozilla Firefox Bug Exposed Saved Passwords

A serious vulnerability existed in Mozilla’s Firefox browser that could expose saved passwords to an attacker. As elaborated in Mozilla’s advisory, anyone with physical access to the device could copy passwords saved in the browser.

The problem became apparent when copying passwords became possible even when a user had enabled the Master password. Ideally, with Master password turned on, it is not possible to access ‘Saved Logins’ dialog box without entering the password. However, the bug enabled bypassing this security check.

According to Mozilla,

It was found that locally stored passwords can be copied to the clipboard through the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Mozilla deemed it a medium severity bug that received CVE ID CVE-2019-11733.

Firefox 68.0.2 Carries The Fix

With the release of Firefox browser version 68.0.2, Mozilla has seemingly fixed the flaw. Now, anyone with local access to the browser may not view or copy saved passwords without entering the Master password.

Mozilla has also fixed the same vulnerability in Firefox ESR with the release of Firefox ESR 60.8.2.

Although, with the fix for this bug, users who had enabled Master password are safe from potential password theft. However, those who haven’t enabled master password yet prefer to save logins to the browser remain vulnerable. It is because Firefox’s ‘save passwords’ feature is active by default. And, it never really prompts the user to set up a master password.

Therefore, Firefox users must ensure themselves to turn on this security feature and protect their logins from intentional or accidental exposure to unauthorized users.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs