Who hasn’t taken advantage of that amazing browser feature to save time and avoid the stress of remembering passwords for various websites where we’re registered? With so many different profiles to manage nowadays, this convenience has become a real lifesaver!
However, it’s natural to have some doubts about the security of this process since we’re entrusting sensitive information to the hands of the browser. But don’t worry, together we’ll unravel how Firefox handles this crucial aspect.
In this article, we’ll dive deeper into how Firefox works and how it stores our passwords. Is this practice really secure? We’ll better understand how our data is treated and, in turn, feel more at ease using this browser convenience.
Finding the Storage Location
In this section, we’ll discover where the folder that stores Firefox data is located in your default profile. This location may vary depending on your platform. Check out the paths below:
Windows:
C:/Users/<username>/AppData/Roaming/Mozilla/Firefox
Mac OS:
~/Library/Application Support/Firefox
Linux:
~/.mozilla/firefox
When running on your computer, remember to replace with your machine’s username. This information will be useful for the password recovery process, which we’ll explore in detail later.
Now, once inside the specific folder, we’ll list the contents to identify the important file for our action:
└─$ cd cwprco4r.default-esr && ls -lah
...
-rw-r--r-- 1 higor higor 2,5K jul 22 09:30 logins.json
...
Above, we have the important file for our action. The rest of the files in this folder are not relevant to the purpose of this article.
By executing a read command like cat logins.json
, we will get the following output:
{
"nextId": 3,
"logins": [
{
"id": 1,
"hostname": "chrome://FirefoxAccounts",
"httpRealm": "Firefox Accounts credentials",
"formSubmitURL": null,
"usernameField": "",
"passwordField": "",
"encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYJITKoZIhvcNabAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
"encryptedPassword": "MIIDdAQQ+AAAAAAAAAAAAAAAAAAAATAUBggqhkiG9w0gc2aae45DBwQISyY0ItSG+VQEgat1gNIkM7/xitAyu7BaD8YvkZ3GUfbfsUxGkTJyZwKFyQVjnwVlBgUmrC84lSycKkzdoeDsX2VFQoka90izrJ7gwxSlCbXX8DotPYjNGZEjIOKuODsxbXHEen7m/UIh0UqkKKtkQeU9OxG3vViGrPJgZs2kLpJtpX3YEVGbgHig6orJtZtjfkSfB2CTpaSsGDHJBsKwFt1wUYOp8NdQPndrRcTZ3kF9if93rDhfxlgkpePGYYl3NkgQIu6jJ76hOLYeEh0Mm7mCIHa/jiKwUHtU6xVxc3OMX0BY/E0jCeN6NMuxC44HgPhjkKqMGaKBNxp/SdMO7a2L3dPw0pndkKhx5XweylFU4KBcrRJSWzAPbHsRQ5gOg4umn6R+idKJpp3UbBovlte4fWOJyk+2hSLabKdHvOX82D5Hbg03ThOI62uXyVsAqmAxgLUsIAh9kRxA2MyfwnD5OVF4lBCQzEmPVTGfs8mi196WxYXJekC2Bn4ARH1rZlJo7c6bsGBcw5dRx5QqGmOrYYhSUr1+B9onLV+Ja1n+G8dNXGq3803+nSAcLZOBzq3YxB0+dJ/o4S9M+jNZChnDiJ3LF2JXIqKY5MnIw7sFrI0y1YTvEUWeVrGAGh3vDqBVOtlznx7G4VdX92nGjwuHDfH07QDXplVYbjthIvRN6Ykm+MLGoTY84kWuGkqpczeXtUQp3P5/JziUVCePdoaJhwU4JATpNXy25PNcgprW2SFQ4L/jCJ3L9JL9P+XRSZ3nVzDqm+xVLqWQVmda1fDWAAkmRmzPaDF+M5hXTM4NVJy8DbLrQislKsBWcw1GUCZNe0ja4019vXkUqV0LhAa7EnoidgoxBPVCUw0/37/2lAGURMdo5Q6dujWtku6fMhlsr7SVtVTaxnK9jZnkhqb2H8qhW4aoajHeym9EpKYKsqlraragGT8Cn7NmQs7BTicEQwvOYP+oUEFAcXYIX1yE/3zmQSH29QfkeobX1PcwaIRuct6hf8IG13TjOQe/K5k6UJep9XTEpUpfW7dWcipRLnXKXK+pSBwpj1WYHpYG7+qdSmf/85YiexedTWk5px/9DyH1RlqH7UT4Uern4ynEOBJcys9InNFGRiBhvQtvXclBanP",
"guid": "{a2eb5150-685d-4615-a254-1c5dd58bee56}",
"encType": 1,
"timeCreated": 1689961688625,
"timeLastUsed": 1689961688625,
"timePasswordChanged": 1689961698732,
"timesUsed": 1
},
{
"id": 2,
"hostname": "https://example.website.net",
"httpRealm": null,
"formSubmitURL": "https://example.website.net",
"usernameField": "EmailAddress",
"passwordField": "Password",
"encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
"encryptedPassword": "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcvcrBCiECFZc/kfDKvcrBCinGLow37uiKmg7K83IUGntneBODTMeV1jMrg95p3sCQzSknnBdG2ef",
"guid": "{f0459b50-b0fe-4512-a085-e94e72319579}",
"encType": 1,
"timeCreated": 1687392175539,
"timeLastUsed": 1689971142811,
"timePasswordChanged": 1687392175539,
"timesUsed": 2
}
],
"potentiallyVulnerablePasswords": [],
"dismissedBreachAlertsByLoginGUID": {},
"version": 3,
"sync": {
"lastSync": 1689961704.49,
"syncID": "MDoEEPgAAoZIhvcNAwAAAAAAAAAAA03210x,mmmAAAAAoZIhvcNAwEwFAYIKoZIhvcNAwcECD42iieWPdOhBBAjVsIqtcbz7b/ttYPhb2D0ZI63"
}
}
This file contains the information needed to recover the passwords saved in the browser.
Identification of Encryption and Security Library
To ensure security, the username and password are encrypted using a cryptographic standard called PKCS #11 (Public-Key Cryptography Standards #11). This standard defines a standard interface for accessing cryptographic devices, such as smart cards and USB tokens, making cryptographic operations secure and protecting sensitive information.
Firefox adopts this standard through the NSS library, which has different names depending on the operating system:
Windows:
nss3.dll
Mac OS X El Capitan:
libnss3.dylib
Linux:
libnss3.so
These libraries are essential for the password decryption process.
Decrypting the Passwords
Now, let’s move on to the decryption step! To do this, we need to follow these steps:
- Clone the repository containing the code required for decryption:
git clone git@github.com:unode/firefox_decrypt.git
- Run the code, providing the path to the folder containing the Firefox files:
python firefoxy_decrypt.py /home/higor/.mozilla/firefox/cwprco4r.default-esr
- The expected result will be the display of the saved passwords’ information:
Website: https://example.website.net
Username: 'higor@gmail.com'
Password: 'teste#123'
Conclusion
Saving passwords in the browser can be extremely convenient, saving time and effort when accessing our accounts. However, it’s essential to be cautious and follow good security practices. Avoid using public computers to access important accounts and never share your passwords with others.
I hope this article has been useful and informative!
Keep following us for more content on technology, cybersecurity, and other interesting subjects.
Until next time!
References
https://medium.com/geekculture/how-to-hack-firefox-passwords-with-python-a394abf18016
Top comments (1)
So i assume the guys at Mozzilla Firefox does not know about this....Yet