Password information can be accessed via the DOM by injecting malicious code or by social engineering techniques such as phishing or fake software updates. Some Firefox installations also have Form Manager enabled by default if you installed the browser from a PPA or third party. This vulnerability affects Firefox 66. Firefox versions 66 are potentially affected by another common password management issue: the Form Manager stores usernames (not passwords) unencrypted by design in many cases. The following information is stored: user name (not password),
This is fixed in Firefox versions 66. Note that upgrading to a newer version does not automatically fix vulnerable installations. You need to manually configure Form Manager to disable saved by clicking on the menu item Options, then select Harvest and Manage Logins.
Credit to the original reporter of the vulnerability ,
"Zak Zidar"
How Does Form Management Works?
Form Management is a feature that allows you to control how Firefox handles saved usernames and passwords. Forms are created by sites where you enter your username and password. Those form data are stored in a local or session state, or they can be saved to disk locally or on the server.
What is the Form Manager?
Form Manager is a password manager that helps you store sensitive information such as passwords, keys, and credit card numbers. Form Manager is available in the browser and can be used to remember passwords for websites or other programs.
Form Manager stores all passwords encrypted locally in the browser's local storage, but it is possible to break this encryption by injecting malicious code into the web page you are visiting.
Form Manager also stores usernames (not passwords) unencrypted by design in many cases, making it possible for attackers to steal usernames stored in Form Manager.
Firefox Password Storage Bypass
The following password storage issue affects Firefox 66 and later versions of the browser.
Password storage can be accessed by injecting malicious code or by social engineering techniques such as phishing or fake software updates. Some Firefox installations also have Form Manager enabled by default if you installed the browser from a PPA or third party. This vulnerability affects Firefox 66 and later versions of the browser.
What is the issue?
This is a potential vulnerability in Firefox versions 66 that affects the Form Manager. The Form Manager is enabled by default in some installations and stores passwords unencrypted by design. This means that if another user gains access to your computer, they can view your saved passwords without any additional action needed.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:42:00 UTC