Firefox vulnerability in its master password system has gone unpatched — for nine years!

Firefox tends to be one of the more secure browsers available to the general population. The browser is not without its flaws, but these flaws have tended to be fixed in a relatively timely fashion. But new reports indicate this is not always the case. According to a post released on Ad-Block Plus creator Wladimir Palant’s blog, there is a serious Firefox vulnerability that has gone unpatched for a mind-boggling nine years.

This Firefox vulnerability is related to the master password available for encryption of stored passwords. As Palant notes in his post, the actual encryption behind the master password is incredibly weak and easy to brute-force. The Firefox (and Thunderbird) master password system utilizes SHA-1 encryption, which is incredibly problematic. Palant states these issues as follows:

GPUs are extremely good at calculating SHA-1 hashes... a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. And humans are remarkably bad at choosing strong passwords... the average password is merely 40 bits strong. In order to guess a 40 bit password you will need to test 239 guesses on average. If you do the math, cracking a password will take merely a minute on average then."

Making the problem even worse for Mozilla is the fact that one of its own researchers uncovered the flaws in their master password system roughly nine years ago. This bug report states that “softtoken’s master password KDF process should be stronger (currently easily brute forced due to low iteration count),” and at the time (and for nearly a decade) Mozilla chose inaction with regards to this issue.

After numerous InfoSec news sites reported Wladimir Palant’s findings, Mozilla stated that they had a fix for the rather glaring issue. According to Bleeping Computer’s report by Catalin Cimpanu, “Mozilla finally provided an official answer, suggesting this would be fixed with the launch of Firefox’s new password manager component — currently codenamed Lockbox and available as an extension.”

I’m thoroughly disappointed in Mozilla for its lack of oversight on an issue that had long ago been reported by their researchers. Hopefully, they have learned from this humiliation and will be more diligent in the future.

Photo credit: Mozilla Foundation

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

2 days ago

Container security rises to meet the challenges of container vulnerabilities

As container technology becomes ubiquitous, container security has become crucial. Here’s a look at some recent innovations in this growing…

2 days ago

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

3 days ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

3 days ago

Microsoft App-V as an application virtualization solution: Pros & cons

If your shop is considering using App-V as an application virtualization solution, read this article first and weigh the pros…

3 days ago

Ransomware threats: Cybercriminals take their wares to the next level

As companies and individuals harden their defenses against ransomware, hackers are creating new and more virulent ransomware threats.

4 days ago