Show passwords feature is a serious security issue in Firefox and Chrome
Friday, 12. June 2009, 21:20:13
I'm wondering one thing. Firefox and Chrome are both constantly bragging about security.
Yet they both fail at their very core feature. They serve ALL your passwords to any, even the dumbest user that can get physical access to your browser. As much as this doesn't seem to concern anyone at Google or Mozilla, it certainly concerns me. And it should also seriously concern you, if you are the user of either Firefox or Chrome. Why the hell is this feature even there? Sure you can hack passwords out of storage Firefox/Chrome files, but tell me, how many average users can actually do that?
I bet 90% of them don't even know what's a "profile folder". But here, it's just a click away. Served on a silver platter to anyway. There goes all the security out the window...
There is of course the "Master Password" feature which couldn't be any more useless than it is.
Instead locking the "Show password" function alone, it locks the entire browser. How f**kin' gay is that? Sure it may come in handy for something, but they could just as well make two lock down features.
"Master browser lock" and "Master password lock". The first would lock the entire browser from unauthorized access without password and second one would just prevent anyone from accessing ALL of your passwords while giving free access to all other browser features (so you can actually browse the web).
There was a surprise after checking few other browsers however. Opera, Safari and yes, even Internet Explorer 8 don't show any passwords to everyone. You can see what pages have password stored and what is the user name used there, but there is no way you can see the actual passwords.
I'm using Firefox and this really concerns me. All passwords are just a click away. Yeah, you can check it and see it for yourself under Tools\Options\Security -> Saved passwords.
Chrome is no better. But Opera, Safari and IE8 surprised me. They actually have this done right.
I especially don't get it why they left this in there while they are constantly working on security fixes, implementing new security features and so on. But it seems they only care about remote stuff.
Local access is just as problematic as remote people.
So, if you're in any way affiliated with either Mozilla or Google, or if you know the right people there, let them know that this is a serious security issue that needs to be addressed soon.
Yet they both fail at their very core feature. They serve ALL your passwords to any, even the dumbest user that can get physical access to your browser. As much as this doesn't seem to concern anyone at Google or Mozilla, it certainly concerns me. And it should also seriously concern you, if you are the user of either Firefox or Chrome. Why the hell is this feature even there? Sure you can hack passwords out of storage Firefox/Chrome files, but tell me, how many average users can actually do that?
I bet 90% of them don't even know what's a "profile folder". But here, it's just a click away. Served on a silver platter to anyway. There goes all the security out the window...
There is of course the "Master Password" feature which couldn't be any more useless than it is.
Instead locking the "Show password" function alone, it locks the entire browser. How f**kin' gay is that? Sure it may come in handy for something, but they could just as well make two lock down features.
"Master browser lock" and "Master password lock". The first would lock the entire browser from unauthorized access without password and second one would just prevent anyone from accessing ALL of your passwords while giving free access to all other browser features (so you can actually browse the web).
There was a surprise after checking few other browsers however. Opera, Safari and yes, even Internet Explorer 8 don't show any passwords to everyone. You can see what pages have password stored and what is the user name used there, but there is no way you can see the actual passwords.
I'm using Firefox and this really concerns me. All passwords are just a click away. Yeah, you can check it and see it for yourself under Tools\Options\Security -> Saved passwords.
Chrome is no better. But Opera, Safari and IE8 surprised me. They actually have this done right.
I especially don't get it why they left this in there while they are constantly working on security fixes, implementing new security features and so on. But it seems they only care about remote stuff.
Local access is just as problematic as remote people.
So, if you're in any way affiliated with either Mozilla or Google, or if you know the right people there, let them know that this is a serious security issue that needs to be addressed soon.
WIDGETIZE
Anonymous # 15. June 2009, 21:44
try this:
http://geek-out-blog.blogspot.com/2008/06/how-to-remove-show-passwords-button-in.html
it's not the perfect solution (considering someone could still easily delete userChrome.css file), but it's a start.
Anonymous # 16. June 2009, 22:42
Maybe you should learn how to password protect your passwords in Firefox. The feature is right there if you open up the options panel.
Weak complaint if you do not even know what your browsers options are.
RejZoR # 17. June 2009, 15:36
If i set the Master password (doh, i know about it, if you'd actually read my message, you'd see i know that feature), Firefox is nagging about it on each Firefox start. And also on each Xmarks synchronization. And when i close a freakin' browser. Or when i make a new bookmark. Don't tell me thats not retarded? I just don't want it to openly show all my passwords to anyone who can walk to my computer.
Why oh why Opera for example doesn't do any of that, yet i or anyone else can't view stored messages by just clicking a button? And all the features work just fine.
Master password feature is a crappy and useless featuire that i'm sure out of all users only few are actually using it. And they don't care that they have to enter password for every stupid action Firefox does at the runtime.
Cyvros # 20. June 2009, 11:05
The issues you are running into are all caused by Xmarks, not Firefox itself. If you pay attention, you should soon notice that it only nags for the master password if Xmarks is installed. I posit that this could be resolved by Xmarks saving the master password for future use. As such, it is not a problem for the Firefox team to resolve; it is one for the Xmarks team.
There is no master password option for Chrome, and on that matter, I agree that it is a security issue that should have been resolved some time ago.
Also, back on the original topic, the ability to show passwords is terribly useful if you have a bad memory or you use too many passwords. An alternative, of course, is the use of a program such as KeePass, which I'll note that I've never used, but have read and heard much about.
Anonymous # 27. July 2009, 16:57
I think the point is more of a matter of NOT storing passwords that are extremely important. If your PC is vulnerable to people walking past and playing around on it, perhaps you shouldn't be saving your password on the computer. After all, if your password is saved, they have access to your accounts even if they don't know what it really is. Firefox forces people to realize that they probably shouldn't store their password if it's possible that it could be picked up by physical access.
Anonymous # 4. August 2009, 20:56
Safari doesn't have a "show password" feature because it uses Apple's built-in Keychain system for storing passwords.
Keychain _does_ have a "show password" feature, which is protected by your login password (unless you change things around, which very few people do).
I can't count how many times Keychain's "show password" feature has saved me from remembering 20+ wireless router passwords. It's come in handy for Safari's saved passwords too, though I've since switched to 1Password.
Anonymous # 20. August 2009, 12:05
If a person has physical access to your machine.......
Jimbo # 28. August 2009, 05:03
I guess the worst case scenario would be if someone got onto all those sites and changed the password so I couldn't get on my account anymore. But I guess I'd just make another account then. Besides most sites that require passwords send a confirmation email before any changes are made and my email is one of those sites I don't let Firefox save passwords for.
RejZoR # 28. August 2009, 06:46
Thats the main difference.
Jimbo # 1. October 2009, 20:09