DEV Community

Higor Diego
Higor Diego

Posted on

Cracking Firefox Encryption and Rescuing Saved Passwords!

FirefoxDecrypt

Who hasn’t taken advantage of that amazing browser feature to save time and avoid the stress of remembering passwords for various websites where we’re registered? With so many different profiles to manage nowadays, this convenience has become a real lifesaver!

However, it’s natural to have some doubts about the security of this process since we’re entrusting sensitive information to the hands of the browser. But don’t worry, together we’ll unravel how Firefox handles this crucial aspect.

In this article, we’ll dive deeper into how Firefox works and how it stores our passwords. Is this practice really secure? We’ll better understand how our data is treated and, in turn, feel more at ease using this browser convenience.

Finding the Storage Location

In this section, we’ll discover where the folder that stores Firefox data is located in your default profile. This location may vary depending on your platform. Check out the paths below:

Windows:



C:/Users/<username>/AppData/Roaming/Mozilla/Firefox


Enter fullscreen mode Exit fullscreen mode

Mac OS:



~/Library/Application Support/Firefox


Enter fullscreen mode Exit fullscreen mode

Linux:



~/.mozilla/firefox


Enter fullscreen mode Exit fullscreen mode

When running on your computer, remember to replace with your machine’s username. This information will be useful for the password recovery process, which we’ll explore in detail later.

Now, once inside the specific folder, we’ll list the contents to identify the important file for our action:



└─$ cd cwprco4r.default-esr && ls -lah 
...
-rw-r--r--  1 higor higor 2,5K jul 22 09:30 logins.json
...


Enter fullscreen mode Exit fullscreen mode

Above, we have the important file for our action. The rest of the files in this folder are not relevant to the purpose of this article.

By executing a read command like cat logins.json, we will get the following output:



{
  "nextId": 3,
  "logins": [
    {
      "id": 1,
      "hostname": "chrome://FirefoxAccounts",
      "httpRealm": "Firefox Accounts credentials",
      "formSubmitURL": null,
      "usernameField": "",
      "passwordField": "",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYJITKoZIhvcNabAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MIIDdAQQ+AAAAAAAAAAAAAAAAAAAATAUBggqhkiG9w0gc2aae45DBwQISyY0ItSG+VQEgat1gNIkM7/xitAyu7BaD8YvkZ3GUfbfsUxGkTJyZwKFyQVjnwVlBgUmrC84lSycKkzdoeDsX2VFQoka90izrJ7gwxSlCbXX8DotPYjNGZEjIOKuODsxbXHEen7m/UIh0UqkKKtkQeU9OxG3vViGrPJgZs2kLpJtpX3YEVGbgHig6orJtZtjfkSfB2CTpaSsGDHJBsKwFt1wUYOp8NdQPndrRcTZ3kF9if93rDhfxlgkpePGYYl3NkgQIu6jJ76hOLYeEh0Mm7mCIHa/jiKwUHtU6xVxc3OMX0BY/E0jCeN6NMuxC44HgPhjkKqMGaKBNxp/SdMO7a2L3dPw0pndkKhx5XweylFU4KBcrRJSWzAPbHsRQ5gOg4umn6R+idKJpp3UbBovlte4fWOJyk+2hSLabKdHvOX82D5Hbg03ThOI62uXyVsAqmAxgLUsIAh9kRxA2MyfwnD5OVF4lBCQzEmPVTGfs8mi196WxYXJekC2Bn4ARH1rZlJo7c6bsGBcw5dRx5QqGmOrYYhSUr1+B9onLV+Ja1n+G8dNXGq3803+nSAcLZOBzq3YxB0+dJ/o4S9M+jNZChnDiJ3LF2JXIqKY5MnIw7sFrI0y1YTvEUWeVrGAGh3vDqBVOtlznx7G4VdX92nGjwuHDfH07QDXplVYbjthIvRN6Ykm+MLGoTY84kWuGkqpczeXtUQp3P5/JziUVCePdoaJhwU4JATpNXy25PNcgprW2SFQ4L/jCJ3L9JL9P+XRSZ3nVzDqm+xVLqWQVmda1fDWAAkmRmzPaDF+M5hXTM4NVJy8DbLrQislKsBWcw1GUCZNe0ja4019vXkUqV0LhAa7EnoidgoxBPVCUw0/37/2lAGURMdo5Q6dujWtku6fMhlsr7SVtVTaxnK9jZnkhqb2H8qhW4aoajHeym9EpKYKsqlraragGT8Cn7NmQs7BTicEQwvOYP+oUEFAcXYIX1yE/3zmQSH29QfkeobX1PcwaIRuct6hf8IG13TjOQe/K5k6UJep9XTEpUpfW7dWcipRLnXKXK+pSBwpj1WYHpYG7+qdSmf/85YiexedTWk5px/9DyH1RlqH7UT4Uern4ynEOBJcys9InNFGRiBhvQtvXclBanP",
      "guid": "{a2eb5150-685d-4615-a254-1c5dd58bee56}",
      "encType": 1,
      "timeCreated": 1689961688625,
      "timeLastUsed": 1689961688625,
      "timePasswordChanged": 1689961698732,
      "timesUsed": 1
    },
    {
      "id": 2,
      "hostname": "https://example.website.net",
      "httpRealm": null,
      "formSubmitURL": "https://example.website.net",
      "usernameField": "EmailAddress",
      "passwordField": "Password",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcvcrBCiECFZc/kfDKvcrBCinGLow37uiKmg7K83IUGntneBODTMeV1jMrg95p3sCQzSknnBdG2ef",
      "guid": "{f0459b50-b0fe-4512-a085-e94e72319579}",
      "encType": 1,
      "timeCreated": 1687392175539,
      "timeLastUsed": 1689971142811,
      "timePasswordChanged": 1687392175539,
      "timesUsed": 2
    }
  ],
  "potentiallyVulnerablePasswords": [],
  "dismissedBreachAlertsByLoginGUID": {},
  "version": 3,
  "sync": {
    "lastSync": 1689961704.49,
    "syncID": "MDoEEPgAAoZIhvcNAwAAAAAAAAAAA03210x,mmmAAAAAoZIhvcNAwEwFAYIKoZIhvcNAwcECD42iieWPdOhBBAjVsIqtcbz7b/ttYPhb2D0ZI63"
  }
}


Enter fullscreen mode Exit fullscreen mode

This file contains the information needed to recover the passwords saved in the browser.

Identification of Encryption and Security Library

To ensure security, the username and password are encrypted using a cryptographic standard called PKCS #11 (Public-Key Cryptography Standards #11). This standard defines a standard interface for accessing cryptographic devices, such as smart cards and USB tokens, making cryptographic operations secure and protecting sensitive information.

Firefox adopts this standard through the NSS library, which has different names depending on the operating system:

Windows:



nss3.dll


Enter fullscreen mode Exit fullscreen mode

Mac OS X El Capitan:



libnss3.dylib


Enter fullscreen mode Exit fullscreen mode

Linux:



libnss3.so


Enter fullscreen mode Exit fullscreen mode

These libraries are essential for the password decryption process.

Decrypting the Passwords

Now, let’s move on to the decryption step! To do this, we need to follow these steps:

  • Clone the repository containing the code required for decryption:


git clone git@github.com:unode/firefox_decrypt.git


Enter fullscreen mode Exit fullscreen mode
  • Run the code, providing the path to the folder containing the Firefox files:


python firefoxy_decrypt.py /home/higor/.mozilla/firefox/cwprco4r.default-esr


Enter fullscreen mode Exit fullscreen mode
  • The expected result will be the display of the saved passwords’ information:


Website: https://example.website.net
Username: 'higor@gmail.com'
Password: 'teste#123'

Enter fullscreen mode Exit fullscreen mode




Conclusion

Saving passwords in the browser can be extremely convenient, saving time and effort when accessing our accounts. However, it’s essential to be cautious and follow good security practices. Avoid using public computers to access important accounts and never share your passwords with others.

I hope this article has been useful and informative!

Keep following us for more content on technology, cybersecurity, and other interesting subjects.

Until next time!

References

https://medium.com/geekculture/how-to-hack-firefox-passwords-with-python-a394abf18016

Top comments (1)

Collapse
 
overflow profile image
overFlow

So i assume the guys at Mozzilla Firefox does not know about this....Yet