Master password security issue!
Hi,
I just found out that if selecting "cancel" on the Master Password dialogue when Firefox is started, then it is still possible to change all Firefox settings (except viewing saved passwords). Doesn't that counteract the purpose of a Master Password to some extent? And worse: You are also automatically logged in to some (but not all) sites with previosuly saved passwords! (E.g. your Firefox and Google accounts, but not Microsoft OneDrive...)
And this happens even if configuring Firefox *not* to keep active logins after closing down! Isn't that a bug, or am I missing something here?
It seems the only way to ensure that everything is logged out for next session is to remember to manually logout on every site you have visited (not safe!), or not allow entered passwords to be remembered (very inconvenient!) , or not allow cookies to be kept offline (which would render many sites unusable!)
I wish a cancelled/failed Master Password login would disable *all* functionality in Firefox (except factory reset) until correctly entered, and only then allow auto-logins or Firefox settings (e.g. account or sync settings) to be changed.
I'm running Windows10 (64-bit) with latest updates, and Firefox (64-bit) v58.0.2.
All Replies (7)
hi, the master password only secures your stored credentials in the password manager - it isn't supposed to lockdown the whole firefox configuration. Use a Primary Password to protect stored logins and passwords
sites will keep the information that you're logged in in cookies they set - so if you want to prohibit that across sessions you should set firefox to only keep cookies until you close firefox.
Thanks for the suggestion, but that's not a viable option for me, since most of the sites I use don't work properly if cookies are not stored between sessions.
But why doesn't the "remove active logins" configuration when closing down Foirefox work anymore? (I'm pretty sure it worked in older versions of Firefox).
Some other suggestions would be an easy "logout" button for the Master Password session, and also a (configurable) timer function when forgetting to logout...
Engztrom said
But why doesn't the "remove active logins" configuration when closing down Foirefox work anymore? (I'm pretty sure it worked in older versions of Firefox).
"Active logins" refers to a different kind of login, where the web server uses "basic authentication." In that case, Firefox presents as a pop-up dialog asking for username and password. Those are stored separately from cookies so they have their own category in the list of kinds of history you can clear.
But you run Windows 10. Unless you give someone your Microsoft account login, no one can use your Firefox, right? You just have to lock your screen when you step away from the keyboard and have Windows set to require your password to access the system.
So what you say is that Mozilla basically has outsourced all security handling to Microsoft? (UGHH! This is the stuff nightmares are woven from!!!)
Engztrom said
So what you say is that Mozilla basically has outsourced all security handling to Microsoft? (UGHH! This is the stuff nightmares are woven from!!!)
I did not say anything about Mozilla. I pointed out that you already can control access to your application software (including browsers) with the tools built into your OS. You do that, right? Why would you not do that if there is a risk of someone else getting physical access to your computer?
On the larger question:
As far as I know, this is how all major browsers work: if you do not log out of sites AND you do not clear cookies, your session could be resumed the next time the browser is started (if the site does not expire your session in the meantime).
How would you remedy that? In principle, you could have Firefox block access to previously set cookies until a password is entered. Perhaps the browser could start in a guess access mode that looks like a fresh install, and then allow you to access your saved settings by entering a password? Sounds like a nice feature. (I wouldn't use it myself unless I was forced to share my computer.)
No idea how much more secure that would be since cookies, history, saved tabs, etc., are not stored in encrypted form (unlike passwords protected by a master password). Remember that the more you encrypt, the more people will lose access to their data because we all have too many passwords we can't remember. So any change like this needs to be thought out very carefully.
You can submit feature suggestions in many places, depending on whether you want more of a "suggestion box" or a discussion:
- Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/
- Reddit: https://www.reddit.com/r/firefox/
- Twitter: https://twitter.com/firefox
- Facebook: https://www.facebook.com/Firefox
You should logout from websites before closing Firefox if you do not want a website to remember you across sessions. This also resets your login status on the server, so nobody would be able to misuse your cookies.
Note that Firefox also stored cookies in sessionstore.jsonlz4 as part of session data, so it won't help to clear cookies when you close Firefox.
Engztrom said
So what you say is that Mozilla basically has outsourced all security handling to Microsoft?
The desktop Firefox is not just for Windows 7, 8, 10 but also for Mac OSX 10.9+ and Linux so this would not make sense. ;)
Gewysig op