New vulnerability in Mozilla Firefox allows third parties to access a saved password store
Recently, Mozilla has urgently released version 68.0.2 for Firefox to patch a serious vulnerability that allows third parties (hackers, applications, advertising providers .) to access and copy left. The password store that the user saves on the browser, specifically in this browser's Save Logins database, even when protected by another password.
"Every password stored in 'Saved Logins' can be copied without permission, without entering the master password," Mozilla Firefox's security recommendation said. At the same time this vulnerability is being monitored with the CVE-2019-11733 identifier, and the impact rating is 'moderate'.
This vulnerability is dangerous in that it allows anyone who owns local access rights to a computer running Firefox (unpatched version) to navigate to the Save Logins dialog in Options> Privacy & Security, and optionally copy the password as well as any login information stored just by right-clicking and selecting the option "Copy Password".
- Mozilla restarted the open-source IoT platform Project Things under the name WebThings
Login and Firefox password
As mentioned, Saved Logins is a repository for user login information on Firefox. Saved Logins are also protected by a separate password, called a master password. Thus, if you want to access the login information store, you will have to provide the master password. However, security experts have discovered that login information stored in Saved Logins can be copied to clipboard via the 'copy password' option in the context menu, without having to enter the previous master password. First, it facilitates the password stealer who is stored in the browser.
This is obviously a vulnerability that directly affects a security method used by Firefox to prevent unauthorized access to user login information.
The Firefox 68.0.2 security patch was released by Mozilla to fix this vulnerability, which means that third parties with local access to the browser will no longer be able to steal your password in Usually the master password has been fully set up. The current task is to check if your Firefox has been updated to the latest version.
- Summarizing Pwn2Own 2019: Safari, VirtualBox was "pierced" on the first day, Firefox, Edge on the second day and Tesla Model 3 "closed the window"
Copy the stored password in Saved Logins
One thing to note, however, is that Firefox's password manager is turned on by default to allow users to save login information more conveniently.
Basically, this is a really good idea, it helps to limit most people who have a habit of using passwords extremely dangerous, but the downside is that Firefox does not require users. must also set up a master password to protect their saved login information.
Therefore, password repositories can be accessed by anyone who has physical access to the computer, thereby leading to the risk of exposing sensitive, valuable information in local attacks. via the default configuration of the browser.
- Mozilla is about to launch non-advertising web services, with an initial fee of $ 5 / month
The reason this password management method is still used by Mozilla is because the chance for someone to have local access to your computer is usually much smaller than if your password could leak. After logging in to online platforms, or being hijacked through online account fraud attacks that appear 'like meals' on the internet today.
One thing to mention is that Firefox, with its built-in auto-update feature, will ensure that security patches released by Mozilla are sent to global users as soon as possible. Please enable this feature on your browser.
- Firefox will use Windows BITS service for background updates
Enable automatic updates in Firefox
You should read it
- How to create a Firefox master password to protect personal information
- Prevent viewing password password stored on the browser
- The last 9 years Firefox has not protected user passwords carefully
- Retrieve saved passwords in Firefox and Chrome
- How to delete Firefox account
- Mozilla Firefox - Free, fast and private web browser
- Mozilla kills Firefox Lockwise password manager
- Setting up Firefox 4 requires saving passwords for Paypal, Citybank ...
- New version of Firefox patched some additional security flaws
- Password management problems in IE and Firefox (The last part)
- 5 best password manager extensions for Firefox
- How to export and delete saved passwords in Firefox
Maybe you are interested
4 Mistakes to Avoid When Setting Up a Password Manager
Are complex passwords 'out of date'?
5 Reasons People Prefer Password Login Over Email
If you're still using this insecure password method, it's time to stop!
This is the type of password that takes 34,000 years to crack
Should I choose a free or paid password manager?