It was possible to access the contents of the password manager even if a master password was set.
Mozilla recently released Firefox Update 68.0.2. This plugged a flaw that allowed to steal the content of the integrated password manager browser by a simple copy and paste, even if the user has set a master password. All that was needed was to go to the "Options -> Privacy and security" menu, open the "Registered identifiers ..." panel, right click on one of the entries and choose "Copy word from past ". But at no time did the browser request the entry of the master password. Since the update, it is now the case.

Despite its simplicity, Mozilla felt that this vulnerability was of a moderate level, since the hacker must already have access to the machine before he can exploit it. Anyway, users of the password manager Firefox have interest in checking that this update is installed and a master password is set. Otherwise, passwords will always be accessible locally.

Leave a Reply