(OT) Google Chrome "cracks" Firefox's Master password?
Peter Lairo
very disconcerting experience.
He said he had a Master Password set in his Firefox profile before he
installed chrome. Then he installed chrome, and it apparently copied his
Firefox profile over to a new chrome profile. Then, using Chrome, he
went to a site where he needs to log in and for which he had stored a
password in his firefox profile. The kicker is, that he's saying that
Chrome filled in the password field *without* asking for the master
password.
I thought the Firefox password file was encrypted once one set a master
password. It appear that Chrome is able to decrypt this file without the
user needing to enter the master password. That seems like a *serious
security breach*!
Does anyone have any insight into this?
--
Regards,
Peter Lairo
The browser you can trust: www.GetFirefox.com
Reclaim Your Inbox: www.GetThunderbird.com
Dangers of Islam (NEW): http://www.jihadwatch.org/islam101/
Israel - Myths & Facts: http://www.JewishVirtualLibrary.org/
Church of the Flying Spaghetti Monster: http://www.venganza.org/
Jay Garcia
--- Original Message ---
> I just received an e-mail from a fried who tried Google Chrome and had a
> very disconcerting experience.
>
> He said he had a Master Password set in his Firefox profile before he
> installed chrome. Then he installed chrome, and it apparently copied his
> Firefox profile over to a new chrome profile. Then, using Chrome, he
> went to a site where he needs to log in and for which he had stored a
> password in his firefox profile. The kicker is, that he's saying that
> Chrome filled in the password field *without* asking for the master
> password.
>
> I thought the Firefox password file was encrypted once one set a master
> password. It appear that Chrome is able to decrypt this file without the
> user needing to enter the master password. That seems like a *serious
> security breach*!
>
> Does anyone have any insight into this?
I don't have a master password set but IIRC, that's not the function of
a master password, that is that it's not supposed to ask when filling in
the userID and pass on a web site .. dunno, but I don't think so.
--
Jay Garcia - Netscape/Flock Champion
www.ufaq.org
Netscape - Flock - Firefox - Thunderbird - Seamonkey Support
Peter Potamus the Purple Hippo
but aren't the individual passwords based [encrypted]
on the master.
--
*IMPORTANT*: Sorry folks, but I cannot provide email
help!!!! Emails to me may become public
Notice: This posting is protected under the Free Speech
Laws, which applies everywhere in the FREE world,
except for some strange reason, not to the mozilla.org
newsgroup servers, where your posting may get you banned.
Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
Jay Garcia
--- Original Message ---
> but aren't the individual passwords based [encrypted]
> on the master.
Don't think so. I think it's a separate function.
Ron K.
> Jay Garcia wrote:
>> On 04.09.2008 15:02, Peter Lairo wrote:
>>
>> --- Original Message ---
>>
>>> I just received an e-mail from a fried who tried Google Chrome and
>>> had a very disconcerting experience.
>>>
>>> He said he had a Master Password set in his Firefox profile before he
>>> installed chrome. Then he installed chrome, and it apparently copied
>>> his Firefox profile over to a new chrome profile. Then, using Chrome,
>>> he went to a site where he needs to log in and for which he had
>>> stored a password in his firefox profile. The kicker is, that he's
>>> saying that Chrome filled in the password field *without* asking for
>>> the master password.
>>>
>>> I thought the Firefox password file was encrypted once one set a
>>> master password. It appear that Chrome is able to decrypt this file
>>> without the user needing to enter the master password. That seems
>>> like a *serious security breach*!
>>>
>>> Does anyone have any insight into this?
>>
>> I don't have a master password set but IIRC, that's not the function of
>> a master password, that is that it's not supposed to ask when filling in
>> the userID and pass on a web site .. dunno, but I don't think so.
>>
>
> but aren't the individual passwords based [encrypted] on the master.
>
The encryption of the password file is a simple algorithm and the Master
Password is not a key to the code. The Master Password is to block the
Chrome UI to block access to the folder tree in Tb. Not clued in on how it
stop use of FX UI.
--
Ron K.
Who is General Failure, and why is he searching my HDD?
Kernel Restore reported Major Error used BSOD to msg the enemy!
Fox on the run
No, I do not believe it is simply a password to restrict the UI from
accessing the stored passwords. That would be poor implementation of
security as otherwise I could simply copy over the stored password
file to another profile and access them without the master password.
I am fairly confident that the master password is used to assist in
the encryption of the stored passwords. Otherwise a password cracking
tool (which does not use the FF UI) would attack the task in the same
fashion regardless if there was a master password or not seeing it
does it outside of the UI. But that is not the case. If there is a
master password, such a tool needs it thus leading me to conclude that
the master password is more than just a UI blocker but is indeed used
in the encryption process.
JB
Fox on the run
I just tested it, and that is not the case. Chrome was successful in
importing the URLs, but neither the usernames nor the passwords. I
can only guess that the person imported those prior to setting a
master password but thought otherwise.
JB
David McRitchie
> importing the URLs, but neither the usernames nor the passwords. I
> can only guess that the person imported those prior to setting a
> master password but thought otherwise.
Importing passwords is an option during installation of Google Chrome.
Ron K.
Perhaps to get a definitive answer the question be asked in
mozilla.dev.security. As I said, Fx is different than Tb inpart because the
current Shipping products use different Gecko versions, thus differences in
security may exist.
Joshua Beall
> very disconcerting experience.
>
> He said he had a Master Password set in his Firefox profile before he
> installed chrome. Then he installed chrome, and it apparently copied his
> Firefox profile over to a new chrome profile. Then, using Chrome, he
> went to a site where he needs to log in and for which he had stored a
> password in his firefox profile. The kicker is, that he's saying that
> Chrome filled in the password field *without* asking for the master
> password.
>
> I thought the Firefox password file was encrypted once one set a master
> password. It appear that Chrome is able to decrypt this file without the
> user needing to enter the master password. That seems like a *serious
> security breach*!
>
> Does anyone have any insight into this?
I've installed Chrome on multiple computers, and Chrome has never been
able to get my saved passwords out of Firefox (and I always set a
master password).
I suspect your friend was mistaken about whether or not a master
password was actually set on Firefox when Chrome was installed.
-Josh
Fox on the run
And at any time thereafter through the menu...
JB
Fox on the run
Perhaps I should have been clearer on the "URLs" I was referring to.
I mean the URLs of the sites for which I had stored passwords. The
URLs were migrated over, but not the associated username & password
for each.
JB
mhilarius
I just tested it.
Chrome DID import all my passwords.
I have a Firefox Master Password set. Before I installed Chrome.
This is worrisome
Peter Lairo
> I just received an e-mail from a friend who tried Google Chrome and had a
> very disconcerting experience. <snip>
Here's another issue with Chrome:
After installing Chrome (to test it), I noticed that there was some
"Google Updater" or "installer" or somesuch that wasn't there before
that was trying to access the internet (firewall warning). After
uninstalling Chrome, this "Google Updater" is still trying to access the
internet! There is also no entry under "Add/Remove Programs" to get rid
of it. :-(
Any thoughts? Suggestions?
G. R. Woodring
> Peter Lairo said on 4.9.2008 22:02:
>> I just received an e-mail from a friend who tried Google Chrome and had a
>> very disconcerting experience. <snip>
>
> Here's another issue with Chrome:
>
> After installing Chrome (to test it), I noticed that there was some
> "Google Updater" or "installer" or somesuch that wasn't there before
> that was trying to access the internet (firewall warning). After
> uninstalling Chrome, this "Google Updater" is still trying to access the
> internet! There is also no entry under "Add/Remove Programs" to get rid
> of it. :-(
>
> Any thoughts? Suggestions?
Download the autoruns program from www.sysinternals.com. It allows you to stop
programs from running at start-up. It also displays the registry key that loads
the program as well as the path to the file on the disk.
You might also want to get rootkitrevealer while you are there.
--
G. R. Woodring
Peter Potamus the Purple Hippo
> Peter Lairo said on 4.9.2008 22:02:
>> I just received an e-mail from a friend who tried Google Chrome and had a
>> very disconcerting experience. <snip>
>
> Here's another issue with Chrome:
>
> After installing Chrome (to test it), I noticed that there was some
> "Google Updater" or "installer" or somesuch that wasn't there before
> that was trying to access the internet (firewall warning). After
> uninstalling Chrome, this "Google Updater" is still trying to access the
> internet! There is also no entry under "Add/Remove Programs" to get rid
> of it. :-(
>
> Any thoughts? Suggestions?
look in wherever you installed the program for the
updater file.
Also, remove the entry from your windows registry:
HKEY_CURRENT_USER/software/microsoft/windows/CurrentVersion/Run
surf...@gmail.com
Hello Peter
I am using firefox 3... and when I installed Chrome I was asked if I
wanted my passwords and usernames and favorites imported to it.
I clicked yes and it imported all my favorites but not the passwords
and usernames.
I first had to unlock the masterpassword and after that I was able to
import them.
Unfortunately Chrome is not asking for a Master password and it is not
possible to hide passwords and usernames in Chrome with a
Masterpassword and that was the reason I switched back to FF3 and am
not using Chrome anymore as I think it is a big security issue as
everybody who accesses my Chrome browser has immediate access to all
my pw/usernames without restrictions.
Sven