I just downloaded the new Firefox 3 and after using it for five minutes my first impression is that it’s super fast.
But during these five minutes I already found what to me seems like a huge security flaw:
Click on the site icon in the address bar + click More Information button + click Show Passwords button. This will show any passwords you have saved for a site in clear text!
This means for example that if I borrow a friend’s computer I will be able to see his or hers stored usernames and passwords in clear text.
How many normal users will know about this security hole when they select to have firefox remember their username and password? Not many.
I have not played around with FireFox 3 long enough to see if there is a way to turn this feature off, but by default it is obviously on.
This does not seem thought thru at all…
Ps: I have no idea how passwords are stored in the file system in FF2 or FF3 but I always supposed that it was somehow encrypted but maybe it has always been in clear text?
I have now been told and checked that it also worked like this in FF2 only that you had to go to Tools + Options + Security to see them. To prevent others from seeing your passwords you should set a Master Password from Tools + Options + Security.
I have not yet examined the file system but from what I have read passwords are encrypted and stored in two files: key3.db and signons.txt.
From a quick look in Internet Explorer 7 I cannot find my stored passwords anywhere so it seems this is handled more securely there. But maybe it’s there only I cannot find it? I ran Firefox 2 for a long time without noticing my passwords were available for anyone using my computer to see…
In my opinion this is still a huge security hole and I cannot understand why Firefox works this way. The least I would expect would be a clear warning every time you are asked to store a password (without having your Master Password set) ]
For anyone using a Mac I warmly recommnd 1Password – it keeps your passwords safe but integrates nicely into Firefox and Safari