grandeduc - Fotolia
How did an old, unpatched Firefox bug expose master passwords?
A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it.
A nine-year-old bug in Firefox was recently discovered that enables attackers to access a browser's master password. How does this Firefox bug work, and how did it go so long without detection?
To make it easier for users to use complex passwords for their online accounts, modern browsers provide the option to store their login credentials for each site. This feature saves the user from the need to remember each different password, as the browser provides the password when it is requested.
Of course, the password store itself needs a password to encrypt and protect its contents; otherwise, the login credentials remain at risk of disclosure. Firefox encrypts and stores the credentials in the file logins.json and stores the master password in key3.db. However, the way it is encrypted leaves it open to a brute force attack.
This Firefox bug was first reported nine years ago on Bugzilla, Mozilla's bug tracking system. The short description of Bug 524403 says, "softtoken's master password KDF process should be stronger (currently easily brute forced due to low iteration count)." Five years later, the same concerns were raised in Bug 973759 -- the master password needed stronger cryptography.
While investigating how Mozilla's browser converts a master password into an encryption key, Wladimir Palant, the developer of the content filtering and ad blocking browser extension Adblock Plus, found that these issues had not been addressed or closed.
The sftkdb_passwordToKey() function that converts a password into an encryption key does so by using a single SHA-1 iteration and a string consisting of a random salt and the user's master password. Even if a user doesn't assign a master password, stored credentials are still encrypted using a random salt.
But SHA-1 has not been considered secure since 2005, and major browsers no longer accept SHA-1 SSL certificates. The initial report noted that increasing the number of iterations of the SHA-1 hash to 1,000 would help improve security, but the downside would be a slower startup for Firefox, so is this a case of security being compromised for convenience?
The lack of urgency to address this Firefox bug is due to the perceived threat model. The master password feature was introduced to hide passwords from other family members on a shared computer; it wasn't intended to prevent a committed attacker from recovering passwords, which is a very different scenario and would require a completely different design. To brute force the master password, the attacker would first have to have physical access to it and then would need to compromise the computer to obtain the file, by which point they have plenty of options to steal whatever they want.
Therefore, this Firefox bug doesn't rank that highly in terms of urgency, and some would say that it doesn't even qualify as a security bug. However, deprecated algorithms like the SHA-1 hash should not be used any longer, and code maintenance procedures should ensure encryption libraries and functions are upgraded to keep products up to date and secure against newer threats.
Password keepers do improve security, as they're safer than reusing the same password for different accounts, but it is important to use a long and strong password for the master password; otherwise, dictionary attacks will quickly crack it. There is some debate as to how best to improve the cryptographic strength of Firefox's master password or even if the feature should be kept in future versions.
Meanwhile, Mozilla is working on the Lockbox extension, a simple, stand-alone password manager that works with Firefox for desktop.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)