Firefox is one of the best web browsers of the entire internet world, right? It’s stable, fast and awesome with thousands of extensions in the store. In every case, Firefox competes with all other web browsers and have earned a good reputation. However, there’s a security gap found recently in the browser that puts users at risk.
The risk
If you’re a Firefox user, you already know that there’s a feature named “Master Password”. The browser will remember all the passwords of every login credentials; you have to unlock them only using the master password. This is a really time-saving and powerful feature. Unfortunately, due to poor design, the system is highly vulnerable.
The same feature is available in both Firefox and Thunderbird. Security experts lauded the attempt as until that point, Firefox saved the passwords in the cleartext format, leaving them vulnerable to anyone having physical access to the PC. Now, the author of Adblock Plus – Wladimir Palant, says that the master password system uses a weak encryption method that’s highly vulnerable to brute-force attacks.
The leakage
Palant looked into the source code and found the function that converts the passwords into SHA-1 string along with some random salt and the actual master password.
In this process, the count of iteration is a big factor. The higher the count, the better protection. In the industrial area, the accepted value is 10,000 whereas other powerful apps like LastPass use the value 100,000. In this factor, the count for Firefox is extremely LOW – only 1!
This low iteration count allows a hacker to easily break down the master password by using the brute-force attack and use it to decrypt other stored passwords from the database of Firefox and Thunderbird. Palant also points out to present powerful GPUs that can brute-force simplistic passwords within a minute. Thus, the “Master Password” feature isn’t worth at all.
This issue was reported about 9 years ago by Justin Dolske when the “Master Password” feature was just launched. Despite the report, Mozilla didn’t take any official action for years! Recently, Palant received the first official Mozilla response regarding the case – they’re developing a better tool, currently codenamed “Lockbox” and it’s available as an extension. Once it’s fully developed, it’s supposed to solve the issue.
If you’re using a master password, you don’t need to worry right now. Unless Mozilla fixes things permanently, use a longer and more complex password. This way, the vulnerability can be mitigated to the lowest level. If you’re not using, use master password as it encrypts the other passwords instead of plain text.
