Thursday, July 03, 2008

Browser Password Managers - Safe?

When Firefox (or any other browser for that matter) prompts you to remember passwords, do you say 'Yes'? I used to, until yesterday, when I discovered how surprisingly easy it is for someone to get his/her hands on them.

Assume that I want to grab the passwords that Person X has saved on his computer using Firefox. This is how I would go about it —

Scenario 1: I have access to his computer

I would simply open up Firefox on his computer, go to Tools > Options > Saved Passwords > Show Passwords. Firefox shows so very neatly (in plain English), a window containing a list of sites along with the stored username and password for each of them.

Easy, no?

Scenario 2: The computer is at a remote location

You'd think getting those passwords in such a scenario is difficult, but it isn't. All you need to know is the location of the files that contain all the username/password information and then write a simple program that mails those files to you as attachments.

First the location of the files. If you have Windows installed on C: drive, then you'll find all the important files at the following location —

C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\Profile Folder

Open up the file called signons3.txt. You'll see a list of websites along with the username and password saved for each of them. However, you can't read it because it's in an encrypted format. To decrypt it, you'll need the private key — this is stored in the file key3.db. And the certificates (signed public keys) are stored in the file cert8.db. The MozillaZine page has more details about these files.

I wrote a small application that locates these files on a user's computer and sends them to me as email attachments. I tried out the application on Karthik's laptop and it worked like a charm! Once I got the files, I simply replaced my copies of the files with the ones I downloaded and voila! I could now log on to all the sites that Karthik had saved passwords for!


I wrote a harmless version of the same application for you guys to try out — download it here (5KB ZIP). It does everything except the emailing. If you don't trust me, you can always disable your internet connection before you run it.



If you're saying "Whew! Thank God I use Internet Explorer and not Firefox!", you should know that a similar process can be employed to grab passwords from ANY browser that has the Remember Passwords feature.

Anyway, if you're interested in reading more about all this stuff, I suggest you have a look at this exhaustive two-part article on "Password Management Concerns with Firefox and IE"

Part 1: http://www.securityfocus.com/infocus/1882
Part 2: http://www.securityfocus.com/infocus/1883

3 comments:

Unknown said...

Good post. People are under the impression that browsers and the net are generally safe. Even passwords should be thought out carefully, you cant have a simple password, you never know who can crack your password. The net ofcourse is so huge that the chances that someone might stumble upon your account are remote...but you never know.

Asmita Nandedkar said...

wow! wat an eye opener.. but my bowser doesnt let me open the page unless i save the passwords! now i read the post and changed the setting.. as pavan said .. i did underestimate the browser's power.. although i never thot internet was safe!

Varun Abhiram said...

Well if you have a good firewall installed you should be generally safe, unfortunately most people I know don't use one...