You are here

Firefox Portable - Password Manager insecure?

4 posts / 0 new
Last post
wulfmeyer
Offline
Last seen: 13 years 1 month ago
Joined: 2011-09-07 08:10
Firefox Portable - Password Manager insecure?

transferred from
http://forums.mozillazine.org/viewtopic.php?f=8&t=2287811&p=11222717#p11...
+++

I somehow achieved a highly unsecure situation on one of my systems and can't even remediate it now.
Clean uninstal also seems useless for a portable application, isn't it?

- Had an old Firefox (presumably 4.x) running on a Win XP system.
- Unistalled it, but without deleting cache and presets.
- Had a Firefox Protable installation on a USB (at that time 5.x, now 6.x) and decided to simply copy it to my HDD in order to avoid re-installing all addons and so on
- Set the new portable FF to remember pw and also set a master password.

Surprising result:
Even after a complete shutdown FF gets all data out of the password manager and logs into anything without prompting for the master password.

- Tried to erase all data of the password manager and do a clean setup, but without success. Everything I store in the pw manager is accessible.

Does that mean to me that if anyone gets his hands on my Firefox Portable installation and copies it onto another system (maybe with some specific registry keys from a previous installation???), under certain circumstances access to all my passwords stored in that installation is free???

Scary thought!!!

+++

It's the real FirefoxPortable.exe.

Today I "managed" to open the leak again.
Copied a portable installation with installed password manager to a different system
(with a prior regular Firefox 6.0.1 installation, which I had removed without deleting settings).
I don't know if this works with a copy to a clean system, too.

The copy uses user names and passwords out of the password manager without prompting for the master password.
For saving a new password it prompts for master password once, but afterwards these new passwords can also be used freely.

It seems not to be recommendable to use the password manager in the portable app, is it?

wulfmeyer
Offline
Last seen: 13 years 1 month ago
Joined: 2011-09-07 08:10
still no answer from

still no answer from anyone?
Maybe @John T. Haller?

Ackael
Offline
Last seen: 3 years 9 months ago
Joined: 2013-08-04 13:03
I am afraid you are right: FF IS INSECURE!

I experienced the same right know - even 10 years after your message. After having copied ff to another system ff simply "ignores" that originally it had a master password (primary pw) and it simply does everything without asking for the primary pw.
Does anyone know a solution?
Otherwise I won't save any sensible pw any more on ff. Instead for this I will use k-meleon or falkon, which don't have these faults.

John T. Haller
John T. Haller's picture
Online
Last seen: 15 min 35 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Works Fine Here

1. Install new copy of Firefox Portable
2. Go to about:logins
3. Click the 3 dot menu and select Options
4. Check off Primary Password
5. Set password to whatever you want
6. Click OK
7. Add a password to the store (example.com, username, password)
8. Close Firefox Portable
9. Open Firefox Portable on another PC
10. Go to about:logins and see that you're prompted for your password

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments