Firefox fixes “master password” security bypass bug

Firefox just pushed out an update to fix a security glitch…

…in its password manager.

Mozilla delivers a new major version every six weeks on what we jocularly call fortytwosday, given that it always comes out on a Tuesday (and that 6 × 7 = 42).

Point releases, mainly to fix security issues, often come out between the main fortytwosday versions, as in this case, taking the full version number of the current 68-flavoured release from 68.0.1 to 68.0.2.

What’s interesting in this release is the security fix it delivers:

CVE-2019-11733: Stored passwords in ‘Saved Logins’ can be copied without master password entry.

When a master password is set, it is required to be entered before stored passwords can be accessed in the ‘Saved Logins’ dialog. It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Mozilla rates this fix as “moderate” – after all, it doesn’t let just anyone extract web passwords any time from anywhere – but if you are a Firefox user, it’s worth checking that you are up-to-date.

Even if you have automatic updating turned on, make sure you know how to verify manually that updating is working correctly. (By the way, that goes for all the updates you’re subscribed to, including those for your operating system and other apps.)

The easiest way is simply to choose the About Firefox menu item, which tells you the version number you’re running now, checks for any updates, and offers you any updates that you haven’t received yet.

On a Mac, the About box is accessed from the Firefox menu item; on Windows and Linux, it’s HelpAbout Firefox.

Many Windows users run with the Firefox menu bar turned off to save screen space. If you don’t have the File Edit View... menu visible, you can enable it by right clicking in the top bar of the Firefox window and turning on the Menu Bar option. Pressing the Alt key will also toggle the menu bar on and off. Alternatively, click the three-bar icon (also known as the hamburger button) at the top right and choose the Help menu from there.

If there’s an update available, you’ll see a [Restart to update Firefox] button:

Click it and you’re done – Firefox will remember the tabs you have open and the session cookies you have set, exit, update, reload and open your tabs back up again.

If all goes well, you’ll be back where you were, still logged in to the same sites and ready to continue.

Go back to the About box and confirm that you’re up-to-date:

Two more controversies…

By the way, Firefox’s password manager raises two interesting controversies even in the absence of a security problem like the one mentioned here.

The password manager is turned on by default, but without a master password, as you can see by doing a fresh install and then going to the Privacy & Security section on the Preferences page:

In other words, a default Firefox setup essentially suffers from the bug described in this article all the time, because there’s no master password used by default, and therefore you never need to enter one.

We recommend never keeping unprotected password databases on your computer, so we suggest that you either:

  • Turn Firefox’s Ask to save logins and passwords for websites option OFF, or
  • Turn Firefox’s Use a master password ON.

If you’ve already got a standalone password manager app that you use for general password security, you probably want to forgo Firefox’s built-in password storage and use your chosen app instead.

Although there’s an adage that says you shouldn’t put all your eggs in one basket, there are disadvantages to using multiple password managers, namely that it’s much harder to keep everything in synch and backed up.

After all, there’s another cybersecurity adage that says, when it comes to passwords, you should put all your eggs in one basket, and watch that basket.

To get rid of any login information you’ve entrusted to Firefox, , accidentally or otherwise, use the [Saved Logins...] button shown above, and then [Remove All] to empty Firefox’s password database.

Oh, and while you’re about it, turn on two-factor authentication (2FA) for any online accounts that support it – it’s a minor inconvenience for you but a significant additional barrier for cybercrooks.


No video? Watch on YouTube. No audio? Click the [Subtitles] icon for closed captions.