You are here

[Proof of concept] Why you should NEVER store cookies on a FirefoxPortable installation

6 posts / 0 new
Last post
m-p-3
m-p-3's picture
Offline
Last seen: 5 months 2 weeks ago
Joined: 2006-06-17 21:25
[Proof of concept] Why you should NEVER store cookies on a FirefoxPortable installation

Overview
In order to protect your sensitive login informations, you decide to put a Master Password, so only you can effectively use them and makes you feel better in case you lose your storage media.

Additional Informations
Because you like to have some settings already configured on some websites, cookies are created and stored on the storage media for future references in a file name cookies.sqlite. This file is actually an SQLite database, which contain all the informations regarding your cookies. If you open this file with a plain text editor (ie: notepad), you'll see a bunch of mostly-unreadable data, and some readable text strings, like the URLs of stored cookies.

Application
In case someone retrieve your storage media, even if there is a Master Password, effectively protecting your login informations, the cookies.sqlite is not protected by the encryption scheme.

What the attacker could do, is to create a plain installation of Firefox Portable, copy the cookies.sqlite file of your storage media into the plain installation, and launch the basic Firefox Portable installation. With the URLs stored in the cookies.sqlite file, he could access for example mail.google.com that you previously logged in (without logging out) and gain access to your account, even if the attacker don't even know your password, because the stored cookies will authenticate the browser as the one who previously logged in before.

Recommendations
-Do not store cookies for longer than the current Firefox session (Keep until I close Firefox)
-Use a third-party software that encrypt your Firefox Portable profile or the whole storage media (Toucan, TrueCrypt, etc.)

John T. Haller
John T. Haller's picture
Offline
Last seen: 6 hours 3 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Nothing New

This is nothing really new. It applies across all portable software across all platforms. As well as your laptop, PDA, etc.

Sometimes, the impossible can become possible, if you're awesome!

KickButts
KickButts's picture
Offline
Last seen: 14 years 3 months ago
Joined: 2008-03-13 09:58
Yep...

But is good info for newbies beginners, anyway. Wink

Alive and kicking!
"If you were a robot, and I knew but you didn't, would you want me to tell you?"

statement
Offline
Last seen: 15 years 4 months ago
Joined: 2008-05-06 12:32
Passwords can be read quite

Passwords can be read quite easily.
See this: http://www.nirsoft.net/utils/passwordfox.html

Additionally cookies, history, everything else is unsafe. So the best protection is encrypting and password protecting your computer/USB stick.

[edit] - Rephrased sentence.

Bahamut
Bahamut's picture
Offline
Last seen: 12 years 10 months ago
Joined: 2006-04-07 08:44
It displays all information

It displays all information except usernames and passwords. Maybe it works once the master password is entered, but that would still be useless. signons.txt, signons2.txt, and signons3.txt are all encrypted.

Vintage!

m-p-3
m-p-3's picture
Offline
Last seen: 5 months 2 weeks ago
Joined: 2006-06-17 21:25
I tried it on my Firefox

I tried it on my Firefox Portable installation with a Master Password, it is unable to retrieve them, as the files are encrypted.

The only thing in fact that is encrypted is the password file (signons3.txt), and the Master Password keyfile (key3.db). Without brute-forcing those files, you won't have access to it's content.

cookies, stored sessions data are not encrypted, which is why you shouldn't keep them on a portable device.

Using a strong enough Master Password should keep most people out of your stuff.

Log in or register to post comments