Huge security issue with saved passwords
Hi all!
To test this I did a complete fresh install of Firefox on Android. After installation I paired Firefox with my account via firefox.com/pair. On my PC the main password is activated and supposed to protect my passwords via encryption. After pairing and enabling the password sync option all my stored passwords are available on the Android phone. And I even can have a look at them in clear text.
This is a huge problem since it never asked me for my main password. This password is supposed to be required to decrypt this data. Which means this data is not encrypted on the Firefox servers. Which in turn means even my passwords I use on the PC are not secure.
According to all documentation I read until now I was assuming my data is only stored encrypted and can only be restored with the main password. Right now I don't really know what to do. I require a secure password store.
Many Greetings! Remo
All Replies (10)
Hi Remo,
This is not a security issue per se, you just have some misunderstanding. The primary password protects your local data on your computer. The synced data is encrypted by your Firefox Accounts password (technically a key derived from your password) on Mozilla's servers. When you login to Sync on your phone, you give your Firefox Accounts password, which decrypts the synced data.
Regards, Balázs
Modified
Hi!
Is there some technical documentation that describes the sync process and it's encryption in more detail?
I still think it is quite the security issue, if you just need access to a open instance of firefox an a pc to get to all passwords currently stored in the current users account. It also didn't ask me for a password to my account.
Many Greetings! Remo
Hi
In both cases, your user data (as with any other data on those devices) is protected by the password and operating system encryption that it is recomended that you have in place.
Hi!
You didn't get the point. It didn't ask for my account password on Android. So how did it decrypt the data? Since the data should be stored encrypted on Firefox servers and the key should be my password.
Many Greetings! Remo
Hi!
I had a look at the QR-Code and it seems to include the id and key of the account in clear text. For example: https://accounts.firefox.com/pair#channel_id=xyz&channel_key=xyz
And just as an addendum: Simply relying on OS encryption is not secure enough for something as sensitive as a password store. Each access resulting in clear text display of a password must require a password entry.
Many Greetings! Remo
You user credentials are stored on your device, not on a server.
And how does Firefox sync across devices, when credentials are not stored on a server?
You can read how it works here: https://mozilla.github.io/ecosystem-platform/docs/features/firefox-accounts/pairing
Modified
Thanks for the link! This explains in sufficient detail how the process works. I need more time to look at the other topics but it seems like I need another more secure password manager. Firefox asks me for my main password as soon as I start the browser and never forgets it as long as it runs. And on mobile devices it purely relies on OS protection. For me that is not enough.
Hi,
The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.
You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.