Mozilla has released a patch for a flaw in its Firefox browser's password management system. According to the now-patched flaw, users could access the saved passwords section of the Firefox browser, right click on any of the saved passwords, and copy them to a text file. While every browser does allow users to see saved passwords, that is done by entering a master password, which in case of Firefox's vulnerability (listed as CVE-2019-11733) could be bypassed.
Firefox has disclosed the vulnerability, which was detailed by Sophos' Naked Security cyber vulnerability research blog, and stated that the issue has now been fixed. There was also a second reported vulnerability, which stated that Firefox's password manager is enabled by default without the use of a master password, when the browser is accessed for the first time. This potentially leaves all saved passwords vulnerable to local attacks without any secondary protection level, which is also something that Mozilla will have likely paid attention to.
The master password in question is often system-drawn, like in the case of Google Chrome, where the PC's password doubles up as the master password for the password manager database. If automatic updates have not been received yet, users are advised to manually check for the patch, and update their versions of Mozilla Firefox browser to the latest version available.
Comments
0 comment