RejZoR - Show passwords feature is a serious security issue in Firefox and Chrome

Show passwords feature is a serious security issue in Firefox and Chrome

Friday, June 12, 2009 9:20:13 PM

password, opera, ie8, browser, chrome, safari, internet explorer, security, firefox

I'm wondering one thing. Firefox and Chrome are both constantly bragging about security.
Yet they both fail at their very core feature. They serve ALL your passwords to any, even the dumbest user that can get physical access to your browser. As much as this doesn't seem to concern anyone at Google or Mozilla, it certainly concerns me. And it should also seriously concern you, if you are the user of either Firefox or Chrome. Why the hell is this feature even there? Sure you can hack passwords out of storage Firefox/Chrome files, but tell me, how many average users can actually do that?
I bet 90% of them don't even know what's a "profile folder". But here, it's just a click away. Served on a silver platter to anyway. There goes all the security out the window...

There is of course the "Master Password" feature which couldn't be any more useless than it is.
Instead locking the "Show password" function alone, it locks the entire browser. How f**kin' gay is that? Sure it may come in handy for something, but they could just as well make two lock down features.
"Master browser lock" and "Master password lock". The first would lock the entire browser from unauthorized access without password and second one would just prevent anyone from accessing ALL of your passwords while giving free access to all other browser features (so you can actually browse the web).

There was a surprise after checking few other browsers however. Opera, Safari and yes, even Internet Explorer 8 don't show any passwords to everyone. You can see what pages have password stored and what is the user name used there, but there is no way you can see the actual passwords.

I'm using Firefox and this really concerns me. All passwords are just a click away. Yeah, you can check it and see it for yourself under Tools\Options\Security -> Saved passwords.
Chrome is no better. But Opera, Safari and IE8 surprised me. They actually have this done right.
I especially don't get it why they left this in there while they are constantly working on security fixes, implementing new security features and so on. But it seems they only care about remote stuff.
Local access is just as problematic as remote people.

So, if you're in any way affiliated with either Mozilla or Google, or if you know the right people there, let them know that this is a serious security issue that needs to be addressed soon.

No Internet Explorer 8 in Windows 7 for Europe!?Download IE8 and feed the hungry

Comments

Anonymous # Monday, June 15, 2009 9:44:08 PM

davidp writes: try this: http://geek-out-blog.blogspot.com/2008/06/how-to-remove-show-passwords-button-in.html it's not the perfect solution (considering someone could still easily delete userChrome.css file), but it's a start.

Anonymous # Tuesday, June 16, 2009 10:42:01 PM

Anonymous writes: Maybe you should learn how to password protect your passwords in Firefox. The feature is right there if you open up the options panel. Weak complaint if you do not even know what your browsers options are.

RejZoRrejzor # Wednesday, June 17, 2009 3:36:03 PM

Weak complaint is that you don't know Firefox any better than me.
If i set the Master password (doh, i know about it, if you'd actually read my message, you'd see i know that feature), Firefox is nagging about it on each Firefox start. And also on each Xmarks synchronization. And when i close a freakin' browser. Or when i make a new bookmark. Don't tell me thats not retarded? I just don't want it to openly show all my passwords to anyone who can walk to my computer.
Why oh why Opera for example doesn't do any of that, yet i or anyone else can't view stored messages by just clicking a button? And all the features work just fine.
Master password feature is a crappy and useless featuire that i'm sure out of all users only few are actually using it. And they don't care that they have to enter password for every stupid action Firefox does at the runtime.

Cyvros # Saturday, June 20, 2009 11:05:47 AM

In the latest version of Firefox, the master password works as it should. There is _no_ browser lock-down whatsoever.

The issues you are running into are all caused by Xmarks, not Firefox itself. If you pay attention, you should soon notice that it only nags for the master password if Xmarks is installed. I posit that this could be resolved by Xmarks saving the master password for future use. As such, it is not a problem for the Firefox team to resolve; it is one for the Xmarks team.

There is no master password option for Chrome, and on that matter, I agree that it is a security issue that should have been resolved some time ago.

Also, back on the original topic, the ability to show passwords is terribly useful if you have a bad memory or you use too many passwords. An alternative, of course, is the use of a program such as KeePass, which I'll note that I've never used, but have read and heard much about.

Anonymous # Monday, July 27, 2009 4:57:13 PM

Chad writes: I think the point is more of a matter of NOT storing passwords that are extremely important. If your PC is vulnerable to people walking past and playing around on it, perhaps you shouldn't be saving your password on the computer. After all, if your password is saved, they have access to your accounts even if they don't know what it really is. Firefox forces people to realize that they probably shouldn't store their password if it's possible that it could be picked up by physical access.

Anonymous # Tuesday, August 4, 2009 8:56:16 PM

Groxx writes: Safari doesn't have a "show password" feature because it uses Apple's built-in Keychain system for storing passwords. Keychain _does_ have a "show password" feature, which is protected by your login password (unless you change things around, which very few people do). I can't count how many times Keychain's "show password" feature has saved me from remembering 20+ wireless router passwords. It's come in handy for Safari's saved passwords too, though I've since switched to 1Password.

Anonymous # Thursday, August 20, 2009 12:05:51 PM

Anonymous writes: If a person has physical access to your machine.......

Jimbogijimbo # Friday, August 28, 2009 5:03:17 AM

I don't know, I guess I really don't see it as a very big deal when someone can actually SEE the password I have saved on Firefox because they can just click the login button with the saved password. I mean why waste time memorizing the visible password when you could just click a button to login. That's why I only have Firefox save passwords for sites that I don't really care if someone gets on. Generally these are the sites that require a login to view posts and such. I actually find it pretty handy cause then I can just punch in a bunch of random keys and don't have to worry about forgetting passwords for sites that really shouldn't need one.

I guess the worst case scenario would be if someone got onto all those sites and changed the password so I couldn't get on my account anymore. But I guess I'd just make another account then. Besides most sites that require passwords send a confirmation email before any changes are made and my email is one of those sites I don't let Firefox save passwords for.

RejZoRrejzor # Friday, August 28, 2009 6:46:54 AM

Thats not really that problematic if someone can log into an account on your PC. What worries me more is when someone can read your password easily and then access youir Hotmail/GMail account from his/her PC at home. If he just logins on my system, he can read only current stuff + is time limited before i walk back into the room), but he still doesn't know the login info.
Thats the main difference.

Jimbogijimbo # Thursday, October 1, 2009 8:09:43 PM

Yeah I guess that makes sense. Like I said though, I don't use firefox to remember any of my email passwords. Even if it were hidden and encrypted and everything I'm too paranoid about information like that being saved on my computer.

Anonymous # Friday, April 9, 2010 12:14:40 AM

Steve writes: You realise if someone you don't trust has physical access to your PC it's game over anyway right? If you want to provide others with access, you should just create another account under the operating system no non admin access - It's easy under practically all o/s these days. If you just want a simple deterrent then Firefox provides you a basic password to secure your passwords under your profile. Being able to see your passwords is useful for many who would forget otherwise. Of course you don't have to save any passwords at all either! A range of security options are available for users to use depending on requirements. I hardly see this as a serious security issue any more than if I have access to your house I could rob it!

RejZoRrejzor # Friday, April 9, 2010 4:01:57 AM

If someone gains access to my PC, that doesn't have to mean i have to serve all my passwords on a silver plater to him.
Trust me, not many are able to harvest passwords, but if you can read them with a click of a mouse button, that IS an issue.

Anonymous # Saturday, June 26, 2010 10:07:49 PM

ÐÐ½Ð¾Ð½Ð¸Ð¼ writes: я сосу хуй, 1488

Anonymous # Wednesday, July 14, 2010 2:42:48 PM

Anonymous writes: Ok but just suppose someone physically steals your PC. If you don't have a master password all they would need to do is turn on your PC, start your browser and then start visiting websites in your history. Say they went to Amazon, paypal, you bank's web site would they be able to access your accounts, buy stuff, ruin your credit? Does your browser automatically fill in the userid and password fields without you doing anything? At least with a master password they can't simply just visit the site with your browser to gain access. They would at least have to know the master password or how to decrypt the password files. I don't worry too much about people simply walking up to my PC or notebook, I can lock my PC. But I do worry about what kind of information I would be exposing if my PC or notebook was physically stolen. By the way what would you loose with your smart phone?

Anonymous # Wednesday, August 4, 2010 3:33:41 AM

Hydra writes: I use Opera. There should really be an option to have two master passwords, one for opening the browser (like it does), and one for allowing access to the password manager. This way a person who doesn't know the passwords can open the browser, but can't log in without the master Wand password. Another thing is that there are little apps that you can use to retrieve your password info. For example, there's an app that you can use to retrieve Opera passwords, and it reads the Wand file and saves all of the passwords in a text file. If someone gains physical access to your computer for a minute, they can just email the wand file from the Application Data folder to their account and then later run the password retrieval app. It won't work if there's a master password set in Opera, but if you set a master password, you'll have to enter it every time you open Opera.

Anonymous # Sunday, October 10, 2010 6:37:52 PM

Cris writes: You really should learn better about Firefox before complaining about security. As someone has said before, the problems with browser "lockdown" are (were) due to Xmarks, not to firefox. And even then, it would only ask for the master password once at the start and then stop nagging. BTW, they've fixed Xmarks now so you don't have anything to complain about. Firefox will NOT show your password to anybody, if you're using a master password. Even if someone could gain access to your box (not locked) with firefox running, they could not see your passwords because Firefox will ask for the master password again when you click "show passwords". If you use Firefox without a master password then you are asking to be owned. So pleasy stop complaining and go back to study.

RejZoRrejzor # Sunday, October 10, 2010 6:44:44 PM

I've studied it well and even though i admit i haven't connected Xmarks and password dialog it was still making that feature useless.

Anonymous # Monday, November 8, 2010 3:51:44 AM

Shadejumper writes: Wow RejZor, for some reason people are super defensive about this issue, on every board I've seen. I agree it's a big problem. It would be a very nice feature to not have to have a master password just to not show saved passwords. I use a master password at work of course, but at home I let visitors get on and use my computer, and sometimes visitors stop by and use the computer when I'm not around. An option to display all of my saved passwords with no security on it is at *least* something I should be able to disable or protect...without needing a password to use the browser. I'm not sure what the hell people are yammering on about with Xmarks...I don't do any bookmark synchronization or have an xmarks plugin installed, yet my browser's master password is required every time I open it. And if I have multiple tabs open with logins on them when the browser opens it asks for the master pw for each tab. That's a very different feature that preventing anyone from seeing all stored passwords in plain-text.

RejZoRrejzor # Monday, November 8, 2010 6:25:11 AM

I don't get the point of this feature anyway. If you set the passwords you have to know them anyway. So why have option to see them easily? It's like having a debit card with your PIN number written on it.

Anonymous # Tuesday, December 21, 2010 6:42:26 AM

red.joe writes: xD nice methaphor. I prefer opera everywhere, but at work i cannot use it since the IT guy's such an ass. The thing is that sometimes you may be in situations like you have to leave your pc to someone else, or just give your password. so what now? One password for your browser and all others are accessible to even the dumbest person? Except the situation that someone specifically desires to steal your passwords, the situation is more or less like offering them to him. Coming to physically stolen issue, that's whole another story. Think about your credit card again, if it's stolen, all your money still is spendable, so I guess it shouldn't be the concern of the browsers.

RejZoRrejzor # Tuesday, December 21, 2010 8:00:09 AM

Hey, if your IT guys are asses, use portable versions.
At work we have IE (like everywhere lol) and since access policy doesn't allow me to install anything i've resorted to portable versions of browsers like "Portable Firefox" which don't require admin rights to install. Chrome installs even on limited user account and so does Opera that you can now even install in a portable USB mode.

Anonymous # Wednesday, December 29, 2010 6:17:07 PM

Anonymous writes: I completly agree with RejZor, and that is why I use Lastpass, it solved the problem flawlessly.

RejZoRrejzor # Wednesday, December 29, 2010 6:28:15 PM

I've now switched to Xmarks and Chrome. This way i can store passwords and there is no way to view them.

Anonymous # Thursday, January 20, 2011 7:02:00 PM

Simon writes: I also want badly a password lock solely for the saved passwords. Actually virtually all my points were mentioned early but they seemed to be overlooked, possibly diverted by other issues. I don't know why an inclusion of such a small function can cause that great opposition. 1. Having right to access my account and knowing my password are TOTALLY DIFFERENT issues. I don't mind if others read some of my emails or so. But I don't want others to have FULL CONTROL of my accounts and know my password pattern. 2. Unavoidably my friends sometimes would be GIVEN the right to use my computer and browser to do something for me or for us. There's no risk of the computer being stolen or hacked beside me. The only risk is their little curiosity. 3. Master password is not an option since I am not wanting high level of security with the expense of convenience. What I want is a MINIMUM level of security without sacrificing any time. It's like if you are carrying $50,000 in your bag to the bank only 200m away, would you left the bag open because people can still take away your money anyway? And the crazy thing is that the solutions offered to using an open bag are either 1. hire a crew of professional armed guards with a bullet-proof car to help transport your money, or 2. carry $500 at a time, do it again and again and again

Anonymous # Tuesday, March 15, 2011 9:29:53 AM

fiaz1977 writes: RejZor: You are absolutely right!!! Why firefox gives out the password so easily that's the question.. here? All the other guys who posted here have ABSOLUTELY NO VALID REASON!!! Firefox gives the password out in the open. This is ABSOLUTELY STUPID. just with a click of a button "show password". Guys listen to RejZor. He is absolutely right. I am an IT Pro myself.. and I know exactly what RejZor means... and that's how I steal all my colleague's, friend's, and everyone else who is a naive user of firefox.. passwords anyway... because they are absolutely clueless.. :-) And, I am sure all the other guys who posted here does the same technique with their friend's pc as well.. NO WONDER THEY DON'T WANT IT CHANGED. Yes.. I know there are other ways to get the password from files in the firefox directory... don't you get in there... that's a whole different topic altogether. NOT FOR NOW.!!!

Anonymous # Tuesday, March 15, 2011 9:47:52 AM

fiaz1977 writes: http://kunalsachdeva.wordpress.com/2009/02/26/how-to-extract-saved-password-from-internet-explorer-mozilla-firefox-google-chrome-yahoo-messenger-gtalk-and-msn/ firefox is the only browser which do not require a software to be downloaded to see passwords

Anonymous # Tuesday, July 5, 2011 10:40:43 AM

writes: How can we make passwork for locking browser in Opera?

Anonymous # Monday, December 19, 2011 4:40:26 PM

Anonymous writes: I've read all the comments here and I agree with RejZoR and almsot everyone else. It is absolutely ridiculous that firefox will give up your saved passwords with a single click of the mouse. The worst part is that there is not even a dialog box that comes up warning you to create and use a 'master password' to protect those saved passwords from view. This is like you're going to be screwed by default unless you've looked through the options and figure it out on your own. I tested this on 2 of my friend's computers and neither of them had actually set a master password either. They were both so thankful that I had warned them of this vulnerability before someone had stolen their private information. Firefox really need to get this right and remove the option already! This feature does harm 100% of the time, I fail to see a single benefit here.