Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Passwords are getting saved in dump file on user login even after the encryption

more options

Hi folks, We have an application in angular 10 and the issue is once the user tries to login by entering email and password, the password is getting saved in the browser's dump you can view the file in hex editor. This is a security threat for the application. We have used crypto-js and does an encryption on the client's end and also I can see the encrypted password coming on the backend. So I need the help why this is happening and how this can be remediate.

Hi folks, We have an application in angular 10 and the issue is once the user tries to login by entering email and password, the password is getting saved in the browser's dump you can view the file in hex editor. This is a security threat for the application. We have used crypto-js and does an encryption on the client's end and also I can see the encrypted password coming on the backend. So I need the help why this is happening and how this can be remediate.

Toutes les réponses (4)

more options

I am not creating O/S dump files. I have an application built in Angular 10 it has a login page. When I run this application on firefox browser and enter password and then go to Task Manager and right click and create a dump file, it will store that file in a temp location in my OS. When I am trying to open this file using HexEditor and search for my password I found it there. So my question is why firefox dump is capturing the user's Password. If you want to test this take an example of Gmail login into your gmail account, then create a dump of the firefox browser from task manager and open the file in hex editor and then search for your gmail password. You will notice that the browser is capturing your password but why browser is doing this, it is a security concern for my application??

Modifié le par basantanimohit1312

more options

Could you file a bug report on https://bugzilla.mozilla.org/

more options

@Dropa I am sure you have not understood what my question is? Let me explain you in more simple words and please follow the attached screenshots. I hope if you follow screenshots you will able to understand my question. 1. I have opened firefox browser on my machine. And entered the URL of my demo app http://localhost:4200 2. I have entered the email and password credentials for login and clicked submit button 3. Then I opened the task manager and from there I created a dump file. 4. I opened this file in the Neo HexEditor and searched for the password I entered above and this password was got captured by firefox browser's dump file.

So Why Firefox is saving these passwords in dump files this is a security threat?


Images Zip can't be uploaded in here can anyone suggest how should I do that?

more options

basantanimohit1312 said

So Why Firefox is saving these passwords in dump files this is a security threat?

I think the dump files you create from Task Manager capture the contents of the process's memory. So in my mind, the question is why Firefox is storing logins in plain text in memory rather than encrypting them in some manner. Now, it could be that the encryption key also would need to be in the same process's memory so it wouldn't be much of a gain to encrypt the login, but maybe it's better than nothing?