Cracking Firefox Encryption and Rescuing Saved Passwords!

#security #python #programming #tutorial

Who hasn’t taken advantage of that amazing browser feature to save time and avoid the stress of remembering passwords for various websites where we’re registered? With so many different profiles to manage nowadays, this convenience has become a real lifesaver!

However, it’s natural to have some doubts about the security of this process since we’re entrusting sensitive information to the hands of the browser. But don’t worry, together we’ll unravel how Firefox handles this crucial aspect.

In this article, we’ll dive deeper into how Firefox works and how it stores our passwords. Is this practice really secure? We’ll better understand how our data is treated and, in turn, feel more at ease using this browser convenience.

Finding the Storage Location

In this section, we’ll discover where the folder that stores Firefox data is located in your default profile. This location may vary depending on your platform. Check out the paths below:

Windows:



C:/Users/<username>/AppData/Roaming/Mozilla/Firefox

Mac OS:



~/Library/Application Support/Firefox

Linux:



~/.mozilla/firefox

When running on your computer, remember to replace with your machine’s username. This information will be useful for the password recovery process, which we’ll explore in detail later.

Now, once inside the specific folder, we’ll list the contents to identify the important file for our action:



└─$ cd cwprco4r.default-esr && ls -lah 
...
-rw-r--r--  1 higor higor 2,5K jul 22 09:30 logins.json
...

Above, we have the important file for our action. The rest of the files in this folder are not relevant to the purpose of this article.

By executing a read command like cat logins.json, we will get the following output:



{
  "nextId": 3,
  "logins": [
    {
      "id": 1,
      "hostname": "chrome://FirefoxAccounts",
      "httpRealm": "Firefox Accounts credentials",
      "formSubmitURL": null,
      "usernameField": "",
      "passwordField": "",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYJITKoZIhvcNabAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MIIDdAQQ+AAAAAAAAAAAAAAAAAAAATAUBggqhkiG9w0gc2aae45DBwQISyY0ItSG+VQEgat1gNIkM7/xitAyu7BaD8YvkZ3GUfbfsUxGkTJyZwKFyQVjnwVlBgUmrC84lSycKkzdoeDsX2VFQoka90izrJ7gwxSlCbXX8DotPYjNGZEjIOKuODsxbXHEen7m/UIh0UqkKKtkQeU9OxG3vViGrPJgZs2kLpJtpX3YEVGbgHig6orJtZtjfkSfB2CTpaSsGDHJBsKwFt1wUYOp8NdQPndrRcTZ3kF9if93rDhfxlgkpePGYYl3NkgQIu6jJ76hOLYeEh0Mm7mCIHa/jiKwUHtU6xVxc3OMX0BY/E0jCeN6NMuxC44HgPhjkKqMGaKBNxp/SdMO7a2L3dPw0pndkKhx5XweylFU4KBcrRJSWzAPbHsRQ5gOg4umn6R+idKJpp3UbBovlte4fWOJyk+2hSLabKdHvOX82D5Hbg03ThOI62uXyVsAqmAxgLUsIAh9kRxA2MyfwnD5OVF4lBCQzEmPVTGfs8mi196WxYXJekC2Bn4ARH1rZlJo7c6bsGBcw5dRx5QqGmOrYYhSUr1+B9onLV+Ja1n+G8dNXGq3803+nSAcLZOBzq3YxB0+dJ/o4S9M+jNZChnDiJ3LF2JXIqKY5MnIw7sFrI0y1YTvEUWeVrGAGh3vDqBVOtlznx7G4VdX92nGjwuHDfH07QDXplVYbjthIvRN6Ykm+MLGoTY84kWuGkqpczeXtUQp3P5/JziUVCePdoaJhwU4JATpNXy25PNcgprW2SFQ4L/jCJ3L9JL9P+XRSZ3nVzDqm+xVLqWQVmda1fDWAAkmRmzPaDF+M5hXTM4NVJy8DbLrQislKsBWcw1GUCZNe0ja4019vXkUqV0LhAa7EnoidgoxBPVCUw0/37/2lAGURMdo5Q6dujWtku6fMhlsr7SVtVTaxnK9jZnkhqb2H8qhW4aoajHeym9EpKYKsqlraragGT8Cn7NmQs7BTicEQwvOYP+oUEFAcXYIX1yE/3zmQSH29QfkeobX1PcwaIRuct6hf8IG13TjOQe/K5k6UJep9XTEpUpfW7dWcipRLnXKXK+pSBwpj1WYHpYG7+qdSmf/85YiexedTWk5px/9DyH1RlqH7UT4Uern4ynEOBJcys9InNFGRiBhvQtvXclBanP",
      "guid": "{a2eb5150-685d-4615-a254-1c5dd58bee56}",
      "encType": 1,
      "timeCreated": 1689961688625,
      "timeLastUsed": 1689961688625,
      "timePasswordChanged": 1689961698732,
      "timesUsed": 1
    },
    {
      "id": 2,
      "hostname": "https://example.website.net",
      "httpRealm": null,
      "formSubmitURL": "https://example.website.net",
      "usernameField": "EmailAddress",
      "passwordField": "Password",
      "encryptedUsername": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcE7x8cECOMFrk7xgPbEBBjqYBBzCDYxqHeHziM1jV/M7lzxfYpY3os=",
      "encryptedPassword": "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcvcrBCiECFZc/kfDKvcrBCinGLow37uiKmg7K83IUGntneBODTMeV1jMrg95p3sCQzSknnBdG2ef",
      "guid": "{f0459b50-b0fe-4512-a085-e94e72319579}",
      "encType": 1,
      "timeCreated": 1687392175539,
      "timeLastUsed": 1689971142811,
      "timePasswordChanged": 1687392175539,
      "timesUsed": 2
    }
  ],
  "potentiallyVulnerablePasswords": [],
  "dismissedBreachAlertsByLoginGUID": {},
  "version": 3,
  "sync": {
    "lastSync": 1689961704.49,
    "syncID": "MDoEEPgAAoZIhvcNAwAAAAAAAAAAA03210x,mmmAAAAAoZIhvcNAwEwFAYIKoZIhvcNAwcECD42iieWPdOhBBAjVsIqtcbz7b/ttYPhb2D0ZI63"
  }
}

This file contains the information needed to recover the passwords saved in the browser.

Identification of Encryption and Security Library

To ensure security, the username and password are encrypted using a cryptographic standard called PKCS #11 (Public-Key Cryptography Standards #11). This standard defines a standard interface for accessing cryptographic devices, such as smart cards and USB tokens, making cryptographic operations secure and protecting sensitive information.

Firefox adopts this standard through the NSS library, which has different names depending on the operating system:

Windows:



nss3.dll

Mac OS X El Capitan:



libnss3.dylib

Linux:



libnss3.so

These libraries are essential for the password decryption process.

Decrypting the Passwords

Now, let’s move on to the decryption step! To do this, we need to follow these steps:

Clone the repository containing the code required for decryption:



git clone git@github.com:unode/firefox_decrypt.git

Run the code, providing the path to the folder containing the Firefox files:



python firefoxy_decrypt.py /home/higor/.mozilla/firefox/cwprco4r.default-esr

The expected result will be the display of the saved passwords’ information:



Website:   https://example.website.net

Username: 'higor@gmail.com'

Password: 'teste#123'

Conclusion

Saving passwords in the browser can be extremely convenient, saving time and effort when accessing our accounts. However, it’s essential to be cautious and follow good security practices. Avoid using public computers to access important accounts and never share your passwords with others.

I hope this article has been useful and informative!

Keep following us for more content on technology, cybersecurity, and other interesting subjects.

Until next time!