-
October 16th, 2004, 08:33 PM
#1
Firefox 0.9.3 false safety
hi all,
i was doing some investigating on my drive since i am planning to write a program which reads the saved passwords and usernames for Firefox (just like iekey.exe from passware does for Internet Explorer).
but what i have found out is that when you go to "tools","options","privacy" and hit the "clear all" button, nothing is removed! the files which contain the stored history and the "encrypted passwords" still have the same content AFTER pressing that button. you'll have to clear all the options one by one in order to clean your history.
also all interesting data is saved in one and the same folder:
C:\Documents and Settings\<your username>\Application Data\Mozilla\Firefox\Profiles\default.sfp
in this folder there are several interesting files, but one of them is the most interesting: signons.txt. this is the txt file where the url history AND the saved passwords and usernames are stored (although encrypted).
i think the encryption is some kind of base64 form since the encryptions looks a lot like it (but can't be decyphered using base64).
also when you have cleared all data, one by one via the GUI from firefox, this file still contains semi personal data, it is some kind of url history which goes way back in time.
e.a.:
the signons.txt file on my computer contains the following:
this file contains entries of sites i haven't visited in about 2 months (and i clear my history etc about 2 times per week)!
i find this a really BAD thing that anyone who can read files on your computer can find out these things so easily even if you think you are safe by clearing your cache, history, passwords etc very often, the file still contains personal data!
so i think i will go for another browser (again), and hope to find one which DOES delete everything if you say so!
-
October 16th, 2004, 09:29 PM
#2
This file doesn't exist under PR1.0 that I can see. Out of curiosity, why are you running an older vulnerable version?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
October 16th, 2004, 09:32 PM
#3
Yes u r right i have checked the mentioned files and it is disclosing the information that i have cleared from the 'Options' menu. Guys anyone knows that why is this happening that after hitting the 'Clear All' button in 'Options' menu, the information si still ther on the system. :-(
Excuse me, is there an airport nearby large enough for a private jet to land?
-
October 16th, 2004, 10:08 PM
#4
This file doesn't exist under PR1.0 that I can see. Out of curiosity, why are you running an older vulnerable version?
because i still need to reinstall my system, and haven't bothered getting an updated version yet (i know, not a good thing, but i'm planning on doing it tomorrow!)
but i will try and figure out where the passwords are stored in the latest version too
[EDIT]well, just installed the latest version, and it appears to be solved here, BUT the passwords are still stored in the same file (signons.txt)![/EDIT]
-
October 17th, 2004, 07:21 AM
#5
Member
so i think i will go for another browser (again), and hope to find one which DOES delete everything if you say so!
Avant browser http://www.avantbrowser.com/
There wasn\'t any paper used here, but millions of electrons were terribly inconvenienced
-
October 17th, 2004, 07:35 AM
#6
SecGod, you seem to be anti Internet Explorer, according to your post here:
http://www.antionline.com/showthread...r=1#post790717
Understand that Avant is just a browser that runs off the IE engine.
It's pretty much the same as running IE, w/ some extra features.
-
October 17th, 2004, 11:57 AM
#7
then that's not a good option either, since i do not like IE for its lack of safety too..
perhaps i will try opera and see how safe this is
-
October 17th, 2004, 12:10 PM
#8
Isn't the signons.txt the wallet password storer? That is, you have the browser remember your logins? Isn't that whole process insecure to begin with? I never used it with IE, why would I use it with Firefox in the first place (I use mozilla but same diff in some regards)?
chsh, you're probably like me and don't use it, hence why you can't find it. The process of storing user name, password and other info locally has always been an insecurity and one thing that many (if not all) browser manufacturers enable. That and HTML emails are evil things that software manufacturers developed for the "ease of users" (i.e., lazy users).
So if you don't want to have passwords stored locally, don't use the wallet feature. Problem solved.
Oh.. on a side note, the author of this little tool is trying to create an equivalent for firefox. He seems to agree with you that it is a Base64 (based on an August entry in his blog this year).
-
October 17th, 2004, 02:31 PM
#9
Oh.. on a side note, the author of this little tool is trying to create an equivalent for firefox. He seems to agree with you that it is a Base64 (based on an August entry in his blog this year).
well, it looks like it is base64 encoded, but when i try to decode a string, it doesn't work (also his script doesn't work).
normally i NEVER used stored passwords, but i know of many people who do, so it IS a security issue, and when you can't erase it (although your under the impression that you did), makes it a even bigger security issue.
-
October 17th, 2004, 02:57 PM
#10
Junior Member
Firefox
Firefox is a good browser, Just as good as anyother browser.
I dont think that the problems is in the browser. More likley its how you use the browser and what settings you have.
And remember thats just an oppninion
(please mind my spelling english isnt my first language )
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|