Mozilla VPN is currently experiencing an outage. Our team is actively working to resolve the issue. Please check the status page for real-time updates. Thank you for your patience.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Huge security issue with saved passwords

  • 10 replies
  • 1 has this problem
  • 11 views
  • Last reply by Paul

more options

Hi all!

To test this I did a complete fresh install of Firefox on Android. After installation I paired Firefox with my account via firefox.com/pair. On my PC the main password is activated and supposed to protect my passwords via encryption. After pairing and enabling the password sync option all my stored passwords are available on the Android phone. And I even can have a look at them in clear text.

This is a huge problem since it never asked me for my main password. This password is supposed to be required to decrypt this data. Which means this data is not encrypted on the Firefox servers. Which in turn means even my passwords I use on the PC are not secure.

According to all documentation I read until now I was assuming my data is only stored encrypted and can only be restored with the main password. Right now I don't really know what to do. I require a secure password store.

Many Greetings! Remo

Hi all! To test this I did a complete fresh install of Firefox on Android. After installation I paired Firefox with my account via firefox.com/pair. On my PC the main password is activated and supposed to protect my passwords via encryption. After pairing and enabling the password sync option all my stored passwords are available on the Android phone. And I even can have a look at them in clear text. This is a huge problem since it never asked me for my main password. This password is supposed to be required to decrypt this data. Which means this data is not encrypted on the Firefox servers. Which in turn means even my passwords I use on the PC are not secure. According to all documentation I read until now I was assuming my data is only stored encrypted and can only be restored with the main password. Right now I don't really know what to do. I require a secure password store. Many Greetings! Remo

All Replies (10)

more options

Hi Remo,

This is not a security issue per se, you just have some misunderstanding. The primary password protects your local data on your computer. The synced data is encrypted by your Firefox Accounts password (technically a key derived from your password) on Mozilla's servers. When you login to Sync on your phone, you give your Firefox Accounts password, which decrypts the synced data.

Regards, Balázs

Modified by Balázs Meskó

more options

Hi!

Is there some technical documentation that describes the sync process and it's encryption in more detail?

I still think it is quite the security issue, if you just need access to a open instance of firefox an a pc to get to all passwords currently stored in the current users account. It also didn't ask me for a password to my account.

Many Greetings! Remo

more options

Hi

In both cases, your user data (as with any other data on those devices) is protected by the password and operating system encryption that it is recomended that you have in place.

more options

Hi!

You didn't get the point. It didn't ask for my account password on Android. So how did it decrypt the data? Since the data should be stored encrypted on Firefox servers and the key should be my password.

Many Greetings! Remo

more options

Hi!

I had a look at the QR-Code and it seems to include the id and key of the account in clear text. For example: https://accounts.firefox.com/pair#channel_id=xyz&channel_key=xyz

And just as an addendum: Simply relying on OS encryption is not secure enough for something as sensitive as a password store. Each access resulting in clear text display of a password must require a password entry.

Many Greetings! Remo

more options

You user credentials are stored on your device, not on a server.

more options

And how does Firefox sync across devices, when credentials are not stored on a server?

more options

Modified by Balázs Meskó

more options

Thanks for the link! This explains in sufficient detail how the process works. I need more time to look at the other topics but it seems like I need another more secure password manager. Firefox asks me for my main password as soon as I start the browser and never forgets it as long as it runs. And on mobile devices it purely relies on OS protection. For me that is not enough.

more options

Hi,

The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or Firefox developers. If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.