Mozilla Foundation Security Advisory 2019-24

Stored passwords in 'Saved Logins' can be copied without master password entry

Announced

August 14, 2019

Impact

moderate

Products

Firefox, Firefox ESR

Fixed in

Firefox 68.0.2
Firefox ESR 68.0.2

#CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry

Reporter: None
Impact: moderate

Description

When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.

References

Bug 1565780

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising