Tutorial - Security Loophole In Firefox


Firefox is a lovely browser. Faster, and more stable than Internet Explorer, it also effectively suppresses intrusive pop-up windows and is less prone to hacker attacks.

Yet, while Firefox provides greater security against the enemy "out there" - i.e. the hackers and crackers in Bulgaria, Russia, Morgantown WV or even Chipping Sodbury - it provides no meaningful defence against the "enemy within."

"Who they?" you might ask. Well, the "enemy within" could be your spouse, your child, your colleague in the office, your cleaner, the guy who comes to instal your cable - anyone in fact, who can access your compuer - if only for a few seconds.

That enemy within could even be you - and it is all down to what I consider to be this fundamental security flaw within the architecture of the Firefox browser:

By default, the saved usernames and passwords of everyone who uses Firefox on any computer are not simply vulnerable; under the default settings, they are literally begging to be stolen.

Check this out:

On the Firefox toolbar, click on Tools; a dropdown menu will display and you need to select (what is typically) at the bottom of that menu; Options.



Clicking on Options will result in the er, Options Menu displaying. You will see a number of clickable tabs at the top of this Options Menu; the one you need to select is:

Security:



(Meanwhile, if you have not done this before, notice in the snapshot above that the default Firefox settings within the menu are:

"Remember passwords for sites": Checked
"Use a master password": Unchecked

We'll revisit these settings a little further down the page.



Now, click on the "Saved Passwords" button.



Do you see what I see in the picture below? Another, smaller menu named "Saved Passwords" pops up. It features two columns; the left-hand column is termed "Site", and the right-hand one "Username".

(With one exception, I have redacted all of the usernames from this snapshot)



No actual passwords on display yet, but Lordy! Do you really want your boyfriend or your girlfriend, your husband or your wife (or all four, if you're the adventerous sort) having access to even all of your usernames? Probably not. (And it gets worse).


At the bottom right of the Saved Passwords box in the above picture you will also see a button marked "Show Passwords"? Click it, go on.

Maybe Firefox knows you are being naughty now; (and possibly you are, if the PC you are sitting at right now is a shared computer). It knows you are being naughty, because before it will show you all of the passwords which match those usernames, it presents you with one chance to change your mind; a confirmation button asking "Are you sure you wish to show your passwords?" (Well, Punk? Are Ya?)



Oh, go on, then. Let's click yes. But I blame you for this, not me.
That Saved Passwords box no longer features just two columns:



It now features a third column. The right hand column is headed "Password". This area of Firefox shows all previously visited websites (by all Firefox users on the computer you are using) where any of those users have created a password protected log-in; it also divulges all of the usernames and the passwords used to log into those sites.

Would a car manufacturer sell you a new car and place a spare set of keys above the wheelarch without at least ensuring they told you? Shame on you, Mozilla...


Hey kids! If mum and dad suddenly and inexplicably start encouraging you to use Firefox instead of Internet Exploder it has nothing to do with me, right?

Now, depending upon your motives for doing this, the Saved Passwords box gives you an option to selectively remove passwords, or remove all of them (but this is no sort of real solution to the issue at all).

Close the box off, and click on Tools, Options again. From the Options box, once more select the Security tab. To better protect the integrity of both your Usernames and your Passwords you can now do one of two things; you can either:

1. Remove the passwords (as in the previous step) and then uncheck that "Remember passwords for sites" box; or (way better);

2. You can protect all your passwords (which are probably pretty much all the same anyway?) with a Master Password.


So, place a tick in the "Remember passwords for all sites" box.



Doing so will present you with a Change Master Password form. Just like it says on the form, "Please make sure you remember the master password you have set..."

Obvious, really. Enter your (new!) Master Password in the top field, duplicate it within the second field, and click OK.

Provided you managed to enter the exact same password in both fields, you will then be presented with a pop up box; Master Password successfully changed. You won't forget what the Master Password is, will you?



Now, close down all open Firefox windows. Then restart it. Once Firefox is open (and every time from now on that Firefox opens), the only person who can view all those usernames and passwords is the person with the Master Password.

Try it; from the Firefox browser bar, click Tools then Options; then click on the Security tab in the Options Box and click on the Saved Passwords option just like before:



Firefox: still way better than Internet Explorer, and, with this tweak, more secure too.



Download current version of Firefox (opens in a new window)
Download Firefox 3 (Best for streaming media via Greasemonkey)
Back To Tutorials Page



Martin Kearns' Home