Get Passwords From Firefox Users With SIGNONS.TXT

It’s kind of sad that Firefox is so much more secure than Internet Explorer in so many ways, but the feature that saves passwords leaves access to your data wide open.

If you are an administrator or you have direct access to a Firefox users’ PC, you can grab their passwords and transfer them over to your computer very easily. The file holding all the data is the SIGNONS.TXT file. This holds all saved usernames and passwords for each firefox profile. You can find the file at:

C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\Profile Folder

The file is encrypted, but if you also take the KEY3.DB file from the same directory and put it on your computer you can use the Firefox browser on your computer to access all of the sites of the hacked user. Just place the files in the same location (be sure to backup your copies first).

You can also view the passwords in Firefox at:
TOOLS–>OPTIONS–>PRIVACY and click on the VIEW SAVED PASSWORS button. Then choose SHOW PASSWORDS.

Protect yourself from this vulnerability:

Set a master password on Firefox.
Always lock your screen.
Disable the Saved Passwords feature in Firefox

This article applies to Mozilla Firefox 1.5x

Comments

  1. just pointing it out ... says

    Uhm … if you have access to a PC, you basically “own” it anyway. You shouldn’t be handling private data on a computer other people have access to, anyway. IMHO this is not a security problem and not even sad!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>